identity_management_vendor_evaluation

EPRODUCTS LLC

Identity and Access Management

Vendor Evaluation

Prepared for …

October 15, 2009

This document surveys the vendors in the IAM space, identifies the major players and then examines their key differentiating factors. In conclusion it recommends two vendors for further evaluation.

Identity and Access Management Vendor Survey

Confidential of 13

Table of Contents

1 INTRODUCTION ............................................................................................ 3

2 MAJOR IAM VENDORS ................................................................................. 4

3 PRODUCT REQUIREMENTS ........................................................................ 5 3.1.1 Password Management ................................................................................................. 5 3.1.2 Provisioning and De-Provisioning of Users ................................................................... 5 3.1.3 Authentication – Quickly verify user identities ............................................................... 5 3.1.4 Authorization – Control user access .............................................................................. 5 3.1.5 Administration – Manage users and assets .................................................................. 5 3.1.6 Auditing – Document everything that happens ............................................................. 6 3.1.7 Regulatory Requirements .............................................................................................. 6

4 CA (COMPUTER ASSOCIATES) ................................................................... 7 4.1.1 Principle Product ........................................................................................................... 7 4.1.2 Second Tier Products .................................................................................................... 7 4.1.3 Vendor Summary ........................................................................................................... 7

5 IBM ................................................................................................................. 9 5.1.1 Principle Product ........................................................................................................... 9 5.1.2 Second Tier Products .................................................................................................... 9 5.1.3 Vendor Summary ........................................................................................................... 9

6 NOVELL ....................................................................................................... 10 6.1.1 Principle Product ......................................................................................................... 10 6.1.2 Second Tier Products .................................................................................................. 10 6.1.3 Vendor Summary ......................................................................................................... 10

7 ORACLE ....................................................................................................... 11 7.1.1 Principle Product ......................................................................................................... 11 7.1.2 Second Tier Products .................................................................................................. 11 7.1.3 Vendor Summary ......................................................................................................... 11

8 SUN MICROSYSTEMS ................................................................................ 12 8.1.1 Principle Product ......................................................................................................... 12 8.1.2 Second Tier Products .................................................................................................. 12 8.1.3 Vendor Summary ......................................................................................................... 12

9 CONCLUSION .............................................................................................. 13


Confidential of 13

1 Introduction

Request:

The client has asked for a high level evaluation of the major vendors for IDM / IAM (Identity Management / Identity and Access Management) products. The focus is to be on identifying their key differentiating factors. As IAM explicitly includes “Access Management” it is considered the more encompassing term and will be used for the remainder of this document.

IAM Key Differentiating Factors:

1. Completeness of product offerings, i.e. the product suite

2. Ability to handle growth, i.e. to scale from small to medium to large deployments

3. Ease of integration with existing products

4. Ease of installation, configuration and upgrades, i.e. IT administration costs

5. Commonly accepted criteria as judged by commercial reviews

6. Author’s direct experience

Value Delivered This paper broadly outlines customer functional requirements that should be addressed by a vendor offering for Identity and Access Management (IAM). This paper also surveys the major vendors to see how and how well they address these requirements. Integral to any IAM strategy is WAM (Web Access Management), this will also be considered as part for purposes of this report.

In lieu of direct knowledge about the clients specific needs we can assume a general IT organization having to serve ~100 users (both employees and customers) and wishing to grow to ~1000 users, but having the capability to grow to ~10,000 users.

Furthermore it is assumed that the functional needs will be those common needs of any organization in today’s environment, one having both a back-office and performing e-commerce or offering other transactional services via the internet. This includes federation and other forms of partner relationships. This common IAM functionality is outlined in its own section, below.

The details and conclusions are supported by various public articles and reports as well as direct information from the vendor’s websites.


Confidential of 13

2 Major IAM Vendors

Over the past decade a number of IAM vendors have come and gone. Most importantly there are a number who have been involved in their space for a considerable amount of time. They have been able to adapt to the IT infrastructure needs, the internet, and to grow with various partner relationships. Any robust solution is one that is open enough to allow integration points with various commercial as well as legacy products.

For research the author surveyed publicly available articles and competitor analysis reports. The author went through each vendor’s site to learn how the vendor expressed their own strengths and weaknesses. Plus the author has many years of security experience to draw upon. The results are crystal clear, for an enterprise embarking upon upgrading or implementing an IAM system it really does come down to these vendors.

They are (in alphabetical order):

■ CA (Computer Associates)

■ IBM

■ Novell

■ Oracle

■ Sun Microsystems


Confidential of 13

3 Product Requirements Any vendor offering will have to address the following areas. The major vendors being considered all do to an acceptable degree.

3.1.1 Password Management

First generation systems use what’s called “Basic Authentication” consisting of name and password. Today’s enterprise requires a flexible password management system whereby “strong” passwords could be enforced where desired. Additionally password systems must support password expiry cycles, password hints and resets. Of course passwords must be stored as ultra-sensitive data, typically meaning passwords are hashed (one-way function) even when stored in a secure repository.

3.1.2 Provisioning and De-Provisioning of Users

Briefly, provisioning is the point at which identity and access management meet. It typically uses policy management systems and addresses the lifecycle of users. Enterprise solutions typically allow roles to be used as the basis for assigning rights and validate that the user’s rights are in line with their position. This is a SOX (Sarbanes-Oxley legislation) requirement entitled “segregation of duties.”

3.1.3 Authentication – Quickly verify user identities

This area focuses on identity proofing (that is, verifying identities, as well as authentication

methods and infrastructure, various single sign-on [SSO] technologies, identity federation and

personal identity frameworks). Enterprise Single Sign-On (Intra Domain), Internet Single Sign-

On (Cross Domain), Federation, Digital Certificates and Biometrics

3.1.4 Authorization – Control user access

This topic focuses on authorization or entitlements management, and delivers Web access

management, operating system access management and content access management, as

well as network access control capabilities. Access management is also involved in

encryption, digital rights management and data loss prevention.

3.1.5 Administration – Manage users and assets

For any IAM system to be useful administrative tools must be provided for the basic

administration capabilities for handling identities and access, including resource access

administration. It is also focused on providing the necessary service management

capabilities to administer and manage identities effectively, from workflow to delegation,

and from self-service to connector management.


Confidential of 13

3.1.6 Auditing – Document everything that happens

This combines security information and event management (SIEM), control and other

monitoring tools to perform comprehensive activity, event and incident monitoring and

reporting for auditing purposes.

3.1.7 Regulatory Requirements

Regulatory requirements are a driving force in the security industry. They are typically written to address online privacy issues with health or financial transactions; however they apply equally well to all enterprise systems. Below are some of the more important regulations.

1. FFIEC mandate for ―Authentication in an Internet Banking Environment‖ of 2001

2. Gramm-Leach-Bliley Act (GLBA) of 1999, requiring adequate data security

safeguards

3. Sarbanes-Oxley Act of 2002 (SOX), Section 404 requiring secure identity

management

4. FIPS 201 / HSPD-12 – the common identification standard for government

employees

5. HIPAA – ensure compliance by assuring only authorized access to health records


Confidential of 13

4 CA (Computer Associates)

4.1.1 Principle Product

CA Identity Manager

4.1.2 Second Tier Products

CA Access Control CA ACF2 CA Cleanup CA Directory CA Embedded Entitlements Manager CA Federation Manager CA Security Compliance Manager CA Single Sign-On CA Siteminder Web Access Manager CA SOA Security Manager CA Top Secret CA VM:Secure for z/VM

4.1.3 Vendor Summary

CA has recently released CA Identity Manager r12, which offers improved interfaces and a

deeper integration of the products it acquired from Netegrity. Netegrity was really the first vendor

to offer robust enterprise SSO (intra-domain) and WAM (inter-domain Web Access

Management).

In 2008 CA acquired Eurekify for role management and identity compliance capabilities that are

highly complementary to its provisioning offering.

CA also added IDFocus (October 2008) which has added several key capabilities to help

customers meet compliance demands.

Positives

It has made timely, strategic acquisitions— specifically Netegrity, Eurekify and

IDFocus—and seems on the path of continued strategic purchases.

From own press releases CA seems to be executing an aggressive IAM strategy.

It has been particularly successful integrating its Identity Manager with its (purchased)

SiteMinder Web Access Manager Product line.

Negatives

Because of its smaller size and not having strong technology partnerships customers will

notice a difference when comparing their professional service offerings against the larger

vendors.

Anytime acquisition plays such a large role in your product strategy you will definitely

experience several years of product integration difficulties. Customers will experience


Confidential of 13

this and be the ones to help the vendor iron out the integration roughness.


Confidential of 13

5 IBM


Tivoli Identity Manager


Tivoli Directory Server (LDAP) Tivoli Federated Identity Manager Tivoli Identity Manager Tivoli Access Manager for Business Integration Tivoli Access Manager for e-business Tivoli Access Manager for Operating Systems Tivoli Directory Integrator Tivoli Directory Integrator Tivoli Federated Identity Manager Business Gateway Tivoli Privacy Manager for e-business Tivoli Security Compliance Manager


In 2008 IBM released Tivoli Identity Manager (TIM) v5.0. This is a mature and stable product,

giving IBM time to work on usability, performance and other maturation issues.

Positives

IBM has resources like no other company.

IBM has a strong suite of IAM products.

IBM has mainframe support with versions of TIM for z/OS, as well as Linux.

IBM has very strong outsourcing and services teams

They are designed to handle the highest volumes

Negatives

Its past history of failed deployments has hurt IBM's reputation, and its weak marketing

hasn't effectively combated this perception.

Extremely high IT Administrative costs, they only shine at the very highest volumes

With so many products it’s difficult to keep them all in sync or with latest features. This

is known to anyone who has worked with IBM products.

IBM lacks a role management capability, which is integral to IAM products.


Confidential of 13

6 Novell


Novell Identity Manager


Novell Access Governance Suite Novell Access Manager Novell Border Manager Novell Compliance Management Platform Novell Compliance Certification Manager Novell eDirectory Novell Identity Assurance Solution Novell Roles Lifecycle Manager Novell Sentinel Novell Storage Manager Novell SecureLogin Novell ZENworks Endpoint Security Management


Novell has made significant progress by investing in its partner relationships and improving its

sales and marketing strategies. The company is also building a comprehensive compliance

strategy, highlighting the integration between its provisioning and SIEM products.

Positives

Identity Manager is 3 is based on Novell's hugely successful eDirectory offering.

Novell offers a strategy and roadmap that often receive high reviews.

Novell offers good support for bi-directional and real-time provisioning. Something any

customer can appreciate in terms of user experience.

Negatives

Novell still relies too strongly upon its legacy customer base.

Novell needs stronger partnerships with system integrators.

Novell must continue to improve the breadth and depth of its identity and security

product line. They are still a bit of a niche product vendor.


Confidential of 13

7 Oracle


Oracle Identity Manager


Oracle Access Manager Oracle Identity Federation Oracle Enterprise Single Sign-On Suite Oracle Role Manager Oracle Internet Directory Oracle Virtual Directory Oracle Adaptive Access Manager Oracle Web Services Manager Oracle Security Developer Tools Oracle Entitlements Server


Oracle has an aggressive acquisition strategy and seems to be pouring money into IAM

acquisitions, followed by strong execution in the security arena overall.

Positives

Oracle has a pretty deep IAM product suite.

Oracle's IAM plans get a lot of good press and seem integral to its strategic plans.

Oracle has a strong security team, along with partners and systems integrators.

Its product strategy seems well thought out and well executed.

Negatives

Its IAM deployments don’t have quite the long history that some of the other vendors

have

For products other than databases they sometimes experiences growing pains.

It faces usual integration issues across its vast product suite along with its acquisitions


Confidential of 13

8 Sun Microsystems


Sun Java System Identity


Access Manager Directory Server Federation Identity Compliance OpenSSO Enterprise Role Manager


Sun’s products are usually very strong, very mature and easy to operate. Its identity server

(LDAP) was one of the earliest and remains best-in-breed w.r.t. deployment and maintenance.

Positives

Sun has maintained its strategic and visionary focus. It is well thought of in technology

circles.

Sun Identity Manager 8.0 is very mature showing integrated role management, good

compliance, and good provisioning solutions.

Sun is committed to the open source community and integrates with legacy products very

well

Negatives

Company financials means it won’t be able to invest in new products in the way its larger

competitors can.

The financial downturn has put severe pressure on the company; layoffs and leadership

defections may put its competitive stance at risk. However it will then become a

candidate for M&A activities; i.e. it will never be allowed to just lapse existence.

It offers strong core IAM products but doesn’t seem to be growing into the newest areas

such as anti-fraud initiatives.


Confidential of 13

9 Conclusion Corporate initiatives, federated access and regulatory requirements are all business drivers requiring agile IAM solutions. The market is competitive but everyone is in agreement that the leaders are IBM, Oracle, and Sun. Other major brand vendors, e.g. Novell and CA are also highly competitive. Beyond that smaller vendors are struggling to compete against the product teams, global sales presence and partner ecosystem of these major vendors. Microsoft was also considered but did not have a complete strategy and this isn’t a major business area for them, i.e. they offer some components and one O/S platform only. Summary IAM is a critical component for any business large or small. For the very largest businesses (above 10K users) it comes down to IBM, Oracle and Sun. For mid-sized businesses (50-1000 users) the choices are Oracle and Sun, due to IBM’s complexity and Oracle, Sun’s willingness to deal. Below 100 users is small scale, so the choice depends more on functionality and price point rather than ability to scale and offer tight knit packages as you grow. Oracle and Sun offer the most flexibility and value as you scale up or down. IBM is for very high volumes and offers complexity at small and moderate scale, CA and Novell don’t have all the partnerships or integration points that Sun and Oracle offer. Recommendation Oracle and Sun go on to the next round.

identity_management_vendor_evaluation

Documents

principle product

vendor summary

product requirements

tier products

major iam vendors

password management

provisioning of users

major players