identity management: what solution is right for you?
DESCRIPTION
In April, C/D/H presented on identity management, specifically comparing Microsoft, Novell, Courion, Oracle/Sun, and IBM. Download the slide deck for an overview of the solutions and their strengths and weaknesses. You'll also find out more about out-of-the-box vs. add-on functionality, integration capabilities, and rough cost comparisons. And last but not least, the factors in determining the solution that's right for you.TRANSCRIPT
C D H
C D H Identity Management
April 21, 2010
C D H Quick Facts
About Us • 20th Year
• Grand Rapids & Royal Oak
• 25 Staff
Approach • Vendor Agnostic
• Non-reseller
• Professional Services Only
Partnerships
• Microsoft Gold
• VMware Enterprise
• Cisco Premier
• Novell Platinum
• Citrix Silver
C D H
Infrastructure
Access & Identity Management
Expertise
Project Management
Collaboration
3
P
I
C
A
C D H Overview
• Specific focus on enterprise identity
management
– SMB session to be offered later
• Discussion about what identity
management is and what it involves
• Project Approach and Planning
• Market Capabilities and Trends
• Vendor Comparisons and Overviews
C D H What is Identity Management?
• User account creation, management, and
cleanup
• Attribute synchronization
• Password synchronization
• Password self-service
• Delegated Management
• Role Management
• Single Sign On
• Privileged User Management…..
C D H What Identity Management Is Not
• Not a replacement for application/system
management tools (though it can minimize
the need to use them)
• Not a primary security enforcement tool
(though it can help)
• Not simple
• Not cheap
• Not able to solve world hunger
C D H Approaches
• Rule based account sync
– Very common first initiative
– Actions based on established rules
• Roles based provisioning
– Role mining/analysis
– Enterprise role modeling
• Workflow system
– Electronic forms and processes
– Doesn’t require systems to be connected
C D H Balanced Approach
C D H Services Infrastructure
C D H Initial Approach
• Get management buy in
• Analyze systems, applications, and
processes across business units
• Determine the pain points
• Determine the points of greatest risk
• Determine compliance requirements
• Determine desired process improvements
• Review current skill sets
C D H Vendor Selection
• Determine most suitable vendors
– Previous analysis as basis
– License agreements/Pricing
– Granular yet scalable
• Demo/POC environment
– Get the vendors/partners (wink-wink) to help
– Most can be completely virtual
C D H Vendor Selection Continued
• Exercise/test/play
– Feed it samples of current data
– Build representative roles
– Involve other business units
• Helpdesk, HR, others
• Workflow interaction
• Role management and assignment
C D H Common Mistakes
• Taking on too much at once
– Important to take it slow at first
• Failure to get upper management buy-in
– Business processes will change
• Scope creep
– “Let’s add this one simple application”
• Allowing requirements to go unchecked
– Contributes to complexity and scope creep
• Not taking the exceptions into account
C D H More Common Mistakes
• Not changing business processes
– Too many implementations just automate bad
processes
– Use the opportunity to revise processes
• Expectation of immediate ROI
– Initially many processes may be duplicated for
a time
• Failure to establish full testing plans
– Automated testing preferred
C D H More Common Mistakes
• Using the existing NOS directory as the
central ID repository
– AD/eDir is a file, print, and workstation
management directory
– It should be treated like all other connected
apps/systems
• Collapsing too much to a single directory
– Allow apps to have their own directory
– IDM allows easy management of separate
directories
C D H
C D H Market
C D H Market Trends
• User provisioning almost becoming a
commodity – everyone does it
• More emphasis is being placed on Roles
and Governance, Risk, and Compliance
(GRC) management
• Data Leak Prevention (DLP) integration
becoming more commonplace
• Organizations tending to more look at IDM
holistically
C D H Market Trends
• Wizards, web GUIs, business process
mapping tools, and “codeless” capabilities
are reducing implementation times
– Time to take a 2nd look
• Greater integration with partnering
technologies from other vendors
– Role management products
– SSO products
• Many acquisitions changing the landscape
C D H Roles
• Typically have multiple levels
– Business roles
– Permission roles
• Entitlements/resources typically assigned
to roles
• Some can be 100% based on attribute
values
• Most should allow manual assignment with
approvals
C D H GRC
• What is it?
• Governance
– Establishing role and entitlement policies
• Risk
– Assigning risk factors to roles and entitlements
• Compliance
– Preventing unjustified access and proving it
C D H GRC Example
• Risk levels are assigned to roles and
entitlements
• Increased scrutiny and monitoring applied
to higher risk roles and entitlements
• The risk levels of the roles and
entitlements assigned to a person add up
to a threat level
• Increased scrutiny and monitoring of the
user result from the increased threat level
C D H
C D H Vendor Comparisons
C D H Vendor Grid
C D H Enterprise Role Management
Market (Forrester)
Forrester Enterprise Role Mgmt - Feb 09
C D H Enterprise Role Management
Market (Forrester)
Forrester Enterprise Role Mgmt - Feb 09
C D H User Provisioning
C D H
C D H Vendor Overviews
C D H Microsoft
• New release – FIM
• Still way behind in the market, FIM won’t
significantly change this
• Still may be an easy choice for MS shops
with limited needs
• Can be cheaper than other solutions, but
not on an apples-to-apples comparison
• MS has stated that they want to become a
leader in the market – will take much work
C D H Sentillion
• Acquired by Microsoft
– Still trying to figure out how to best integrate
the technologies
– Some of the technologies directly compete
with FIM – what’s going to win?
• Healthcare focused
– Almost exclusively
C D H Novell
• Continues to fight the “bad” reputation of
their name
• No concern over Novell’s viability
• Extraordinary capabilities with limited
coding requirements
• Offers unparalleled platform flexibility
• IDM 4 brings strong new capabilities to the
mix – “game changers”
C D H Courion
• A strong suite of powerful products
• Focused specifically in identity
management technologies
• One of the earliest to offer SharePoint
integration & management
• Establishes partnerships and provides
tight integration
• Excellent rogue account management
C D H Oracle/Sun
• Much FUD about what the merger actually
means, not all is undeserved
• Some integration has already occurred
– Sun products being rename to Oracle xx
• Highly capable solutions
• Deep development requirements
– Do you have dedicate Java developers?
– You’ll need more
C D H IBM
• Shares top tier rating
• Part of the Tivoli suite of products
• XPRESS for simpler implementation
– XML based
• Like Oracle/Sun, requires pretty deep
development for more complex
functionality
• Aggressive product pricing in IBM shops
C D H CA
• Recently acquired Eurekify, an excellent
role mining and management vendor
• Uses Policy Xpress (sound familiar?) to
simplify policy “development”
• GUI workflow designer tool
• Also fights a bad rep at times
• Tends to ignore smaller engagements
C D H Other Vendors
• Too many to list!
• A number build on Microsoft solution
• Some show much promise
– EmpowerID from The Dot Net Factory
C D H
C D H Solution Similarities
C D H Commonalities
• Centralized identity repository
– Identity Vault
– Metaverse
– ID Store
– LDAP
• XML
– Config and settings files
– Transaction documents
– Rules and policies
C D H Common Claims
• Agent-less
– Usually means limited (AD API vs LDAP)
– MUST have an agent (client or server) for
password sync from an app/system
• GUI Builders and Wizards
– Meant to simplify development
– Provide for basic functionality
– Sometimes don’t go far enough (how do you
extend?)
C D H
C D H C/D/H IDM Perspective
C D H C/D/H Experience
• We help determine what IDM solution set
and vendor is best based on the
organization
– Sync, SSO, reporting, monitoring
– Existing relationships, budget, scope, skills
• Clients from 250 to 250,000 users
• Medium-large focus
– Most clients in the 3,000-8,000 user range
C D H C/D/H Experience
• Few in-house developers
– Well established developer relationships
utilized when needed
– Focus more on business process planning
• We like solutions requiring minimal
development
– Microsoft
– Novell
– Courion
C D H C/D/H Experience
C D H C/D/H Experience
C D H
Royal Oak 306 S. Washington Ave.
Suite 212
Royal Oak, MI 48067
p: (248) 546-1800
Thank You
Grand Rapids 15 Ionia SW
Suite 270
Grand Rapids, MI 49503
p: (616) 776-1600
(c) C/D/H 2007. All rights reserved www.cdh.com