Identity (Management) Crisis (Part 4): Selecting a Comprehensive Identity Management solution

If you would like to be notified on when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

Introduction

In Parts 1 through 3 of this series, we took a look at the evolution of the concept of “identity,” misconceptions about identity in the IT world, and some current identity management solutions, with a focus on digital signatures. In this, Part 4, we’ll look more closely at the criteria for choosing a comprehensive identity management solution for an organization or a federated identity management solution.

One size doesn’t fit all

The goal of an identity management system is to ensure that only authenticated and authorized users have access to network resources. A good identity management system will automate this process as much as possible and allow for self-service by users (e.g., the ability to reset their own passwords).

There are a large number of identity management solutions available from different vendors, some more sophisticated (and expensive) than others. There is no one “right” system that fits every organization’s needs. In selecting a solution for your organization, you’ll want to consider:

  • Scope (management of identity across a single organization or a large federation)
  • Feature set (simplicity vs more granular control)
  • Ease of deployment
  • Scalability
  • Budget

The first step is to define exactly what you want the system to do. In a federated system, trust is established between and across different organizations. The system can provide Single Sign-on (SSO) whereby users can log in to the identity provider and access resources anywhere within the trust relationship without having to sign on to multiple systems (provided his account has access permissions to those resources). This allows the organizations in the federation to share services with one another’s users.

There are both open source and proprietary identity management systems for use within organizations. The more comprehensive the feature set, the more complex deployment and administration of the system will be, which brings the need for skilled/trained personnel and/or hiring of specialists to set up the system.

Identity management system features

Most identity management (IDM) systems will provide standard features in some or all of the following categories:

  • Provisioning, deprovisioning and management of user accounts
  • Synchronization of passwords and attributes
  • Enterprise single sign-on
  • Federation
  • Access management
  • Rules-based provisioning and management
  • Role-based provisioning and management
  • Policy based management
  • Reporting
  • DLP (Data Leak Prevention) integration

All major solutions will provide for a centralized repository for storing identity information, and most will include wizards (perhaps by another name) to simplify the management process. If you have a heterogeneous environment, you’ll want a solution that supports different types of directories, databases, operating systems and applications. You’ll also want to determine what types of authentication are supported (passwords, biometrics, tokens).

Auditing and reporting are often overlooked but vitally important features. You may need to be able to customize reports, so a solution that allows you to do this without programming skills is highly desirable.

Identity management systems architecture

Architecting an IDM system starts with information sources. This includes the users of the system, the roles they hold in the organization(s), trusts that extend across organizations and the policies that define how identity rules relate to resource access. Identity management is built on directory services that function as repositories for data about the users and their identities. In addition to roles, granular authorization can utilize user attributes such as length of time employed, education/military or other pre-employment background, and so forth. Thus the directory database needs to be customizable, with an extensible schema.

The mechanisms by which this information is processed include authentication and authorization, processing of rules, the workflow and how identity management tasks integrate with other processes such as compliance and governance. All this is accomplished by specific applications that perform user account provisioning and deprovisioning, self-service, single sign-on, auditing and reporting, and so forth. Users should be able to perform self-service tasks easily, from any location, and administrators need to be able to manage the IDM system remotely. Web services applications can allow access to the system through a web portal. Applications that make up the IDM solution include web services, directory services, databases and the IDM applications themselves. These applications will be built on standard protocols (HTTP/HTTPS, XML, LDAP, SQL, etc.).

High availability is a major requirement for an identity management system, because its function is vital to allowing users to access the resources required to do their work. Thus directory replication. Reliability of the information is also key, which means directory synchronization must be taken into account. Finally, performance is important to prevent user frustration and slowdown of the business workflow.

IDM vendors

Popular IDM solutions are marketed by:

  • Microsoft
  • HP
  • IBM
  • CA
  • Courion
  • Novell
  • Oracle
  • SAP
  • Siemens

and many others. We’ll look more closely at the top four in the sections below.

Microsoft identity solutions

Many Windows shops will naturally look toward Microsoft first when considering IDM solutions. Active Directory Services includes integrated IDM. Active Directory Federation Services (AD FS) was first included in Windows Server 2003 R2. It integrates with Active Directory Domain Services, which it uses as an identity provider. The AD schema was extended to support direct lookup of UNIX identities in Active Directory Domain Services, with the addition of the UNIX Attributes tab in the Users and Computers management console when running Server for NIS on a domain controller. AD FS is a server role in Windows Server 2008 and 2008 R2. With AD FS, two different organizations can create trusts through federation servers that authenticate users via Active Directory and issue and validate tokens.

There are many third party IDM software packages that are designed to work with Active Directory to extend IDM capabilities, such as the Netwrix Identity Management Suite, Softera Adaxes and products from Centrify

Microsoft has put out several iterations of its own separate IDM solution. Microsoft Identity Integration Server (MIIS) grew out of Microsoft Metadirectory Server (MMS) and was released in 2003. In 2007, the name was changed to Identity Lifecycle Manager (ILM), and then in 2010 it morphed again, into Forefront Identity Manager (FIM). FIM is designed to integrate with both Active Directory and Exchange and use familiar tools. Users can take advantage of self-service through Outlook, and administrators can manage identities through a SharePoint based interface.

FIM builds on ILM’s combination of identity management with management of certificates and smart cards and provides the ability to manage identities more efficiently across the enterprise. Organizations can combine identity information from different directories and systems and synchronize user accounts across those systems, creating one address book to serve multiple forests. When users change roles, their information can be updated automatically so that they have the correct access rights for their new roles. FIM lets you build centralized policies and makes it easier to automate and enforce identity policies. There are connectors to integrate with non-Microsoft databases, directories and operating systems, such as Oracle, SAP, Novell, Sun, Lotus Notes and others.

For more about FIM, see the white paper titled Understanding FIM 2010.

HP identity solutions

Hewlett-Packard got into the identity management game in 2004, when they added that function to their OpenView network management system via software made by their acquisition, TruLogica. OpenView was rebranded in 2007 and shortly thereafter HP discontinued their Select Access, Federation and Identity products, although they will continue to support these products until 2013.

HP now offers identity and access management as a service. Their IAM offering includes identity lifecycle management with the flexibility to use a variety of different credentials, including certificates, tokens and biometrics. It also includes federation services, directory management and access management, with reporting and auditing services.

IBM identity solutions

IBM provides IDM as part of its Tivoli suite of management products. The Tivoli Identity Manager is policy- and role- based and integrates both identity and access management. It is a very comprehensive solution that supports self-service and boasts features such as closed loop user provisioning (to detect and correct discrepancies between approved access and local privileges) and separation of duties (to prevent user access conflicts).

Tivoli Identity Manager supports a number of different platforms, including Windows Server, SUSE and Red Hat Linux enterprise servers, Sun Solaris and of course IBM’s own AIX. It integrates with ERP systems and a wide variety of popular business applications. You can find out more about it here.

CA identity solutions

CA Technologies offers an IDM product called CA Identity Manager that they have tested with user populations of up to 100 million internal and external users, in a number of different scenarios (government agency, e-commerce company, retail establishment). It includes the usual features of automated provisioning and processes, self-service and role and policy analysis and control. It’s designed to work with other CA solutions such as their Role and Compliance Manager, User Activity Reporting module and so forth. It also supports connectors for Active Directory, SAP and Salesforce.com databases, and uses its own directory, CA Directory, which works with other LDAP servers. 

The CA Directory uses a memory-mapped store technology that’s called DXgrid, to provide more scalability and better performance. The idea is to use shortest path routing and parallel search between servers. There are also a number of reliability enhancements, such as write-through (instead of write-behind) load-sharing and failover.

CA also offers IdentityMinder as-a-Service, a hosted cloud-based deployment of its provisioning solution for on-premise and cloud-based applications. This is part of a whole suite of cloud services called CloudMinder that include CA AuthMinder as-a-Service, RiskMinder as-a-Service and FedMinder as-a-Service. This whitepaper discusses CA’s strategy and vision regarding identity and access management for the cloud.

Identity management solutions comparison checklist

Selection of an identity management solution requires an intelligent comparison of features and functionality in the context of your organization’s needs, preferences and budget. Some considerations include:

  • Is the identity solution built on a workflow platform?
  • Is the identity solution built on a roles-based platform?
  • Is the identity solution built on a policy-based platform?
  • Is it scalable enough to meet your needs in the future as well as the present?
  • Can it easily integrate with and manage multiple directories?
  • Does it work across all the operating systems and applications deployed in your organization?
  • Does it provide for single sign-on and federated identity services across organizations?
  • Does it provide for user self-service password reset?
  • Does it support third party multi-factor authentication methods?
  • Is it easily customizable without coding skills?
  • Does it have a friendly, customizable user interface?
  • Does it include comprehensive auditing and reporting, including report customization as well as preconfigured reports?

Summary

Selecting an IDM solution requires careful analysis of the organization’s workflow patterns, security considerations, user roles, compliance requirements, and more. Not only should the current state be considered, but plans and goals for the future (such as a move to the cloud) must also be taken into account. A basic IDM architecture will rest on a foundation of scalability, reliability and high availability for key functions such as user account provisioning, authentication, authorization and access management.

In Part 4 of this series, we discussed IDM solution features and architecture, specific popular IDM solutions currently available, and a checklist for evaluating IDM solutions. In Part 5, we’ll discuss the future of identity management with a special focus on the effect of the cloud on IDM.

If you would like to be notified on when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top