identity_management_vendor_evaluation
TRANSCRIPT
![Page 1: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/1.jpg)
EPRODUCTS LLC
Identity and Access Management
Vendor Evaluation
Prepared for …
October 15, 2009
This document surveys the vendors in the IAM space, identifies the major players and then examines their key differentiating factors. In conclusion it recommends two vendors for further evaluation.
![Page 2: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/2.jpg)
Identity and Access Management Vendor Survey
Confidential Page 2 of 13
Table of Contents
1 INTRODUCTION ............................................................................................ 3
2 MAJOR IAM VENDORS ................................................................................. 4
3 PRODUCT REQUIREMENTS ........................................................................ 5 3.1.1 Password Management ................................................................................................. 5 3.1.2 Provisioning and De-Provisioning of Users ................................................................... 5 3.1.3 Authentication – Quickly verify user identities ............................................................... 5 3.1.4 Authorization – Control user access .............................................................................. 5 3.1.5 Administration – Manage users and assets .................................................................. 5 3.1.6 Auditing – Document everything that happens ............................................................. 6 3.1.7 Regulatory Requirements .............................................................................................. 6
4 CA (COMPUTER ASSOCIATES) ................................................................... 7 4.1.1 Principle Product ........................................................................................................... 7 4.1.2 Second Tier Products .................................................................................................... 7 4.1.3 Vendor Summary ........................................................................................................... 7
5 IBM ................................................................................................................. 9 5.1.1 Principle Product ........................................................................................................... 9 5.1.2 Second Tier Products .................................................................................................... 9 5.1.3 Vendor Summary ........................................................................................................... 9
6 NOVELL ....................................................................................................... 10 6.1.1 Principle Product ......................................................................................................... 10 6.1.2 Second Tier Products .................................................................................................. 10 6.1.3 Vendor Summary ......................................................................................................... 10
7 ORACLE ....................................................................................................... 11 7.1.1 Principle Product ......................................................................................................... 11 7.1.2 Second Tier Products .................................................................................................. 11 7.1.3 Vendor Summary ......................................................................................................... 11
8 SUN MICROSYSTEMS ................................................................................ 12 8.1.1 Principle Product ......................................................................................................... 12 8.1.2 Second Tier Products .................................................................................................. 12 8.1.3 Vendor Summary ......................................................................................................... 12
9 CONCLUSION .............................................................................................. 13
![Page 3: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/3.jpg)
Identity and Access Management Vendor Survey
Confidential Page 3 of 13
1 Introduction
Request:
The client has asked for a high level evaluation of the major vendors for IDM / IAM (Identity Management / Identity and Access Management) products. The focus is to be on identifying their key differentiating factors. As IAM explicitly includes “Access Management” it is considered the more encompassing term and will be used for the remainder of this document.
IAM Key Differentiating Factors:
1. Completeness of product offerings, i.e. the product suite
2. Ability to handle growth, i.e. to scale from small to medium to large deployments
3. Ease of integration with existing products
4. Ease of installation, configuration and upgrades, i.e. IT administration costs
5. Commonly accepted criteria as judged by commercial reviews
6. Author’s direct experience
Value Delivered This paper broadly outlines customer functional requirements that should be addressed by a vendor offering for Identity and Access Management (IAM). This paper also surveys the major vendors to see how and how well they address these requirements. Integral to any IAM strategy is WAM (Web Access Management), this will also be considered as part for purposes of this report.
In lieu of direct knowledge about the clients specific needs we can assume a general IT organization having to serve ~100 users (both employees and customers) and wishing to grow to ~1000 users, but having the capability to grow to ~10,000 users.
Furthermore it is assumed that the functional needs will be those common needs of any organization in today’s environment, one having both a back-office and performing e-commerce or offering other transactional services via the internet. This includes federation and other forms of partner relationships. This common IAM functionality is outlined in its own section, below.
The details and conclusions are supported by various public articles and reports as well as direct information from the vendor’s websites.
![Page 4: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/4.jpg)
Identity and Access Management Vendor Survey
Confidential Page 4 of 13
2 Major IAM Vendors
Over the past decade a number of IAM vendors have come and gone. Most importantly there are a number who have been involved in their space for a considerable amount of time. They have been able to adapt to the IT infrastructure needs, the internet, and to grow with various partner relationships. Any robust solution is one that is open enough to allow integration points with various commercial as well as legacy products.
For research the author surveyed publicly available articles and competitor analysis reports. The author went through each vendor’s site to learn how the vendor expressed their own strengths and weaknesses. Plus the author has many years of security experience to draw upon. The results are crystal clear, for an enterprise embarking upon upgrading or implementing an IAM system it really does come down to these vendors.
They are (in alphabetical order):
■ CA (Computer Associates)
■ IBM
■ Novell
■ Oracle
■ Sun Microsystems
![Page 5: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/5.jpg)
Identity and Access Management Vendor Survey
Confidential Page 5 of 13
3 Product Requirements Any vendor offering will have to address the following areas. The major vendors being considered all do to an acceptable degree.
3.1.1 Password Management
First generation systems use what’s called “Basic Authentication” consisting of name and password. Today’s enterprise requires a flexible password management system whereby “strong” passwords could be enforced where desired. Additionally password systems must support password expiry cycles, password hints and resets. Of course passwords must be stored as ultra-sensitive data, typically meaning passwords are hashed (one-way function) even when stored in a secure repository.
3.1.2 Provisioning and De-Provisioning of Users
Briefly, provisioning is the point at which identity and access management meet. It typically uses policy management systems and addresses the lifecycle of users. Enterprise solutions typically allow roles to be used as the basis for assigning rights and validate that the user’s rights are in line with their position. This is a SOX (Sarbanes-Oxley legislation) requirement entitled “segregation of duties.”
3.1.3 Authentication – Quickly verify user identities
This area focuses on identity proofing (that is, verifying identities, as well as authentication
methods and infrastructure, various single sign-on [SSO] technologies, identity federation and
personal identity frameworks). Enterprise Single Sign-On (Intra Domain), Internet Single Sign-
On (Cross Domain), Federation, Digital Certificates and Biometrics
3.1.4 Authorization – Control user access
This topic focuses on authorization or entitlements management, and delivers Web access
management, operating system access management and content access management, as
well as network access control capabilities. Access management is also involved in
encryption, digital rights management and data loss prevention.
3.1.5 Administration – Manage users and assets
For any IAM system to be useful administrative tools must be provided for the basic
administration capabilities for handling identities and access, including resource access
administration. It is also focused on providing the necessary service management
capabilities to administer and manage identities effectively, from workflow to delegation,
and from self-service to connector management.
![Page 6: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/6.jpg)
Identity and Access Management Vendor Survey
Confidential Page 6 of 13
3.1.6 Auditing – Document everything that happens
This combines security information and event management (SIEM), control and other
monitoring tools to perform comprehensive activity, event and incident monitoring and
reporting for auditing purposes.
3.1.7 Regulatory Requirements
Regulatory requirements are a driving force in the security industry. They are typically written to address online privacy issues with health or financial transactions; however they apply equally well to all enterprise systems. Below are some of the more important regulations.
1. FFIEC mandate for ―Authentication in an Internet Banking Environment‖ of 2001
2. Gramm-Leach-Bliley Act (GLBA) of 1999, requiring adequate data security
safeguards
3. Sarbanes-Oxley Act of 2002 (SOX), Section 404 requiring secure identity
management
4. FIPS 201 / HSPD-12 – the common identification standard for government
employees
5. HIPAA – ensure compliance by assuring only authorized access to health records
![Page 7: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/7.jpg)
Identity and Access Management Vendor Survey
Confidential Page 7 of 13
4 CA (Computer Associates)
4.1.1 Principle Product
CA Identity Manager
4.1.2 Second Tier Products
CA Access Control CA ACF2 CA Cleanup CA Directory CA Embedded Entitlements Manager CA Federation Manager CA Security Compliance Manager CA Single Sign-On CA Siteminder Web Access Manager CA SOA Security Manager CA Top Secret CA VM:Secure for z/VM
4.1.3 Vendor Summary
CA has recently released CA Identity Manager r12, which offers improved interfaces and a
deeper integration of the products it acquired from Netegrity. Netegrity was really the first vendor
to offer robust enterprise SSO (intra-domain) and WAM (inter-domain Web Access
Management).
In 2008 CA acquired Eurekify for role management and identity compliance capabilities that are
highly complementary to its provisioning offering.
CA also added IDFocus (October 2008) which has added several key capabilities to help
customers meet compliance demands.
Positives
It has made timely, strategic acquisitions— specifically Netegrity, Eurekify and
IDFocus—and seems on the path of continued strategic purchases.
From own press releases CA seems to be executing an aggressive IAM strategy.
It has been particularly successful integrating its Identity Manager with its (purchased)
SiteMinder Web Access Manager Product line.
Negatives
Because of its smaller size and not having strong technology partnerships customers will
notice a difference when comparing their professional service offerings against the larger
vendors.
Anytime acquisition plays such a large role in your product strategy you will definitely
experience several years of product integration difficulties. Customers will experience
![Page 8: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/8.jpg)
Identity and Access Management Vendor Survey
Confidential Page 8 of 13
this and be the ones to help the vendor iron out the integration roughness.
![Page 9: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/9.jpg)
Identity and Access Management Vendor Survey
Confidential Page 9 of 13
5 IBM
5.1.1 Principle Product
Tivoli Identity Manager
5.1.2 Second Tier Products
Tivoli Directory Server (LDAP) Tivoli Federated Identity Manager Tivoli Identity Manager Tivoli Access Manager for Business Integration Tivoli Access Manager for e-business Tivoli Access Manager for Operating Systems Tivoli Directory Integrator Tivoli Directory Integrator Tivoli Federated Identity Manager Business Gateway Tivoli Privacy Manager for e-business Tivoli Security Compliance Manager
5.1.3 Vendor Summary
In 2008 IBM released Tivoli Identity Manager (TIM) v5.0. This is a mature and stable product,
giving IBM time to work on usability, performance and other maturation issues.
Positives
IBM has resources like no other company.
IBM has a strong suite of IAM products.
IBM has mainframe support with versions of TIM for z/OS, as well as Linux.
IBM has very strong outsourcing and services teams
They are designed to handle the highest volumes
Negatives
Its past history of failed deployments has hurt IBM's reputation, and its weak marketing
hasn't effectively combated this perception.
Extremely high IT Administrative costs, they only shine at the very highest volumes
With so many products it’s difficult to keep them all in sync or with latest features. This
is known to anyone who has worked with IBM products.
IBM lacks a role management capability, which is integral to IAM products.
![Page 10: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/10.jpg)
Identity and Access Management Vendor Survey
Confidential Page 10 of 13
6 Novell
6.1.1 Principle Product
Novell Identity Manager
6.1.2 Second Tier Products
Novell Access Governance Suite Novell Access Manager Novell Border Manager Novell Compliance Management Platform Novell Compliance Certification Manager Novell eDirectory Novell Identity Assurance Solution Novell Roles Lifecycle Manager Novell Sentinel Novell Storage Manager Novell SecureLogin Novell ZENworks Endpoint Security Management
6.1.3 Vendor Summary
Novell has made significant progress by investing in its partner relationships and improving its
sales and marketing strategies. The company is also building a comprehensive compliance
strategy, highlighting the integration between its provisioning and SIEM products.
Positives
Identity Manager is 3 is based on Novell's hugely successful eDirectory offering.
Novell offers a strategy and roadmap that often receive high reviews.
Novell offers good support for bi-directional and real-time provisioning. Something any
customer can appreciate in terms of user experience.
Negatives
Novell still relies too strongly upon its legacy customer base.
Novell needs stronger partnerships with system integrators.
Novell must continue to improve the breadth and depth of its identity and security
product line. They are still a bit of a niche product vendor.
![Page 11: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/11.jpg)
Identity and Access Management Vendor Survey
Confidential Page 11 of 13
7 Oracle
7.1.1 Principle Product
Oracle Identity Manager
7.1.2 Second Tier Products
Oracle Access Manager Oracle Identity Federation Oracle Enterprise Single Sign-On Suite Oracle Role Manager Oracle Internet Directory Oracle Virtual Directory Oracle Adaptive Access Manager Oracle Web Services Manager Oracle Security Developer Tools Oracle Entitlements Server
7.1.3 Vendor Summary
Oracle has an aggressive acquisition strategy and seems to be pouring money into IAM
acquisitions, followed by strong execution in the security arena overall.
Positives
Oracle has a pretty deep IAM product suite.
Oracle's IAM plans get a lot of good press and seem integral to its strategic plans.
Oracle has a strong security team, along with partners and systems integrators.
Its product strategy seems well thought out and well executed.
Negatives
Its IAM deployments don’t have quite the long history that some of the other vendors
have
For products other than databases they sometimes experiences growing pains.
It faces usual integration issues across its vast product suite along with its acquisitions
![Page 12: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/12.jpg)
Identity and Access Management Vendor Survey
Confidential Page 12 of 13
8 Sun Microsystems
8.1.1 Principle Product
Sun Java System Identity
8.1.2 Second Tier Products
Access Manager Directory Server Federation Identity Compliance OpenSSO Enterprise Role Manager
8.1.3 Vendor Summary
Sun’s products are usually very strong, very mature and easy to operate. Its identity server
(LDAP) was one of the earliest and remains best-in-breed w.r.t. deployment and maintenance.
Positives
Sun has maintained its strategic and visionary focus. It is well thought of in technology
circles.
Sun Identity Manager 8.0 is very mature showing integrated role management, good
compliance, and good provisioning solutions.
Sun is committed to the open source community and integrates with legacy products very
well
Negatives
Company financials means it won’t be able to invest in new products in the way its larger
competitors can.
The financial downturn has put severe pressure on the company; layoffs and leadership
defections may put its competitive stance at risk. However it will then become a
candidate for M&A activities; i.e. it will never be allowed to just lapse existence.
It offers strong core IAM products but doesn’t seem to be growing into the newest areas
such as anti-fraud initiatives.
![Page 13: Identity_Management_Vendor_Evaluation](https://reader030.vdocuments.us/reader030/viewer/2022032504/55c388babb61eb8b318b464f/html5/thumbnails/13.jpg)
Identity and Access Management Vendor Survey
Confidential Page 13 of 13
9 Conclusion Corporate initiatives, federated access and regulatory requirements are all business drivers requiring agile IAM solutions. The market is competitive but everyone is in agreement that the leaders are IBM, Oracle, and Sun. Other major brand vendors, e.g. Novell and CA are also highly competitive. Beyond that smaller vendors are struggling to compete against the product teams, global sales presence and partner ecosystem of these major vendors. Microsoft was also considered but did not have a complete strategy and this isn’t a major business area for them, i.e. they offer some components and one O/S platform only. Summary IAM is a critical component for any business large or small. For the very largest businesses (above 10K users) it comes down to IBM, Oracle and Sun. For mid-sized businesses (50-1000 users) the choices are Oracle and Sun, due to IBM’s complexity and Oracle, Sun’s willingness to deal. Below 100 users is small scale, so the choice depends more on functionality and price point rather than ability to scale and offer tight knit packages as you grow. Oracle and Sun offer the most flexibility and value as you scale up or down. IBM is for very high volumes and offers complexity at small and moderate scale, CA and Novell don’t have all the partnerships or integration points that Sun and Oracle offer. Recommendation Oracle and Sun go on to the next round.