Iam report
Upcoming SlideShare
Loading in...5

Iam report






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Iam report Iam report Document Transcript

  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group Identity and Access Management 2011/12 Delivering essential business protection and compliancePart of the Datamonitor Group WWW.OVUM.COM
  • Enterprise IT Knowledge CentreAt the heart of the new service are more than 150 ICT analysts from the former Ovumand Butler teams. They provide deep insight into both vertical and horizontal businesstechnology, delivered through best-in-class research and analysis. To their insights, weadd the expertise of Datamonitor’s 350 business analysts. It is this combination thatmakes the new Ovum IT service especially valuable to clients: by integrating the threeteams, we can offer unique insight into the opportunities and issues facing you and yourcustomers, and dispense invaluable advice to help you create an effective technologystrategy – a process that we describe as Collaborative Intelligence.Our comprehensive research agenda spans the full IT investment lifecycle. Our analysisand advice help you to create the optimal technology investment portfolio for theorganisation, select and implement the appropriate solutions and services, and managethose investments to realise the desired business benefits. Our coverage ranges frominsight into industry-specific business processes and analysis of vendor markets,through to radical opinion on disruptive technologies and best-practice ITimplementation guides. Here we present thought-leading research and strong examplesof Collaborative Intelligence in action, and we look forward to working in partnershipwith enterprises globally.For more information, please contact Mike James on +44 1482 608380 ormike.james@ovum.comResearch Important NoticeAndy Kellett We have relied on data and information which we reasonably believe toGraham Titterington be up-to-date and correct when preparing this Report, but because itNishant Singh comes from a variety of sources outside of our direct control, we cannotSomak Roy guarantee that all of it is entirely accurate or up-to-date. This Report is of a general nature and not intended to be specific,Acknowledgements customised, or relevant to the requirements of any particular set ofMaxine Holt circumstances. The interpretations contained in the Report are non-Tim Gower unique and you are responsible for carrying out your own interpretationTim Jennings of the data and information upon which this Report was based. Accordingly, Ovum is not responsible for your use of this Report in any specific circumstances, or for your interpretation of this Report.Published by Ovum The interpretation of the data and information in this Report is based onPublished January 2011 generalised assumptions and by its very nature is not intended to© Ovum produce accurate or specific results. Accordingly, it is your responsibilityAll rights reserved. This publication, or any part of to use your own relevant professional skill and judgement to interpretit, may not be reproduced or adapted, by any the data and information provided for your own purposes and takemethod whatsoever, without prior written Ovumconsent. appropriate decisions based on such interpretations.Artwork and layout by Karl Duke, Steve Duke, Ultimate responsibility for all interpretations of the data, information andand Jennifer Swallow commentary in this Report and for decisions based on that data, information and commentary remains with you. Ovum shall not be liablePart of the Datamonitor Group for any such interpretations or decisions made by you.
  • Identity and AccessManagement 2011/12ContentsChapter 1: Management summary 91.1 Management summary 111.2 Report objectives and structure 17Chapter 2: Business and technology issues in IAM 192.1 Summary 212.2 Identity and access management projects are large-scale investments 212.3 Business processes need to be overhauled 252.4 Cloud services add urgency to the need to federate identities between organizations 262.5 The vendor landscape has been rationalized 282.6 Recommendations 29Chapter 3: Identity and access management and compliance 313.1 Summary 333.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance 343.3 Regulatory compliance has a demanding impact on most organizations 353.4 Audit adds urgency to the need for a better IAM infrastructure 393.5 Continuity and the lifecycle approach to managing identity delivers business value 403.6 Everyone needs to be accountable 413.7 Achieving and proving compliance is a key business objective 433.8 Recommendations 44Chapter 4: Identity services in the cloud 454.1 Summary 474.2 The need for an internet identity is now recognized 484.3 Several levels of identity assurance are needed 504.4 Legal and commercial issues are still of paramount importance 534.5 Technology is being developed for internet identity 554.6 Recommendations 58 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 3
  • Contents – ContinuedChapter 5: Federated identity 595.1 Summary 615.2 Organizations can benefit from using a federated approach to identity management 625.3 Drawing up clear rules of engagement is important 645.4 Making better use of standards is the way forward 675.5 Recommendations 72Chapter 6: Technology comparison 736.1 Summary 756.2 IAM Features Matrix 766.3 IAM Decision Matrix 1136.4 Vendor Analysis 116Chapter 7: Technology Audits 131CA – CA Identity and Access Management Suite 133Entrust – Entrust IdentityGuard, GetAccess, & TransactionGuard 143Evidian – Evidian IAM Suite (version 8) 153Hitachi – Hitachi-ID Portfolio 163IBM – IBM Tivoli Identity and Access Management Products 173Microsoft – Microsoft Forefront Identity Manager 2010 and Associated Products 185Novell – Novell Identity Manager 4 Advanced Edition 195Oracle – Oracle Identity and Access Management Suite – Release 11g 205RSA (The Security Division of EMC) – RSA Identity & Access Management 215 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 5
  • Contents – ContinuedChapter 8: Vendor profiles 225ActivIdentity 227Aladdin (SafeNet) 228Avatier 229Aveksa 230Beta Systems 231BMC 232Courion 233Cyber-Ark 234Fox Technologies 236Imprivata 237Passlogix 238Ping Identity 239Pirean 240Red Hat 241SailPoint Technologies 242SAP 243Sentillion 245Siemens 246WSO2 247Chapter 9: Glossary 249Chapter 10: Appendix 259 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 7
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 1: Management summary WWW.OVUM.COM
  • 1.1 Management summaryCatalystIdentity and access management (IAM) has become an essential part of the IT infrastructure formedium- to large-scale organizations. Its benefits of productivity and policy enforcement havebeen understood for some time, but it was widely regarded as a technology that was too hardto deploy. There is now wider agreement on standards and a much better understanding of howto conduct a successful project. At the same time the business case is becoming morecompelling as the scale of automated interoperation with entities outside the enterprise grows,including the growing use of cloud services.Ovum viewIdentity and access management must be approached as a business issue and designed aroundbusiness processes. It is fundamentally about how the organization works with its people and with otherorganizations. IAM projects must be approached with a comprehensive and long-term vision, but it isbest to implement it incrementally in phases, each with a clearly defined business benefit. The totalinvestment will be large, but many parts of the process can be expected to pay for themselves inmonths. While extensions to the project can be expected to deliver lower rates of return than the low-hanging fruit addressed by the early stages, the overall project should still represent a good investmentas there is no requirement to implement the full vision in one project. Key findings: IAM projects require upfront and continuous high-level business sponsorship. Address pain points first and deliver significant and quantifiable benefits to demonstrate the value of the approach. Federation of identities between collaborating organizations has been enabled by general acceptance of the main standards, including the WS-* family and Security Assertion Markup Language (SAML) assertions. Use of cloud services creates an important application for IAM. IAM is an essential tool in delivering compliance and protecting information. Business may soon be able to connect to Internet identity services that will be useful for authenticating people outside the organization.The role of IAM IAM is the disciplineWhat is IAM? of determiningIAM is the discipline of determining policies for who has access rights to policies for who hasinformation assets in an organization, the issuing of these rights, and the access rights toimplementation of the consequent access controls. It is at the heart of information assetsinformation protection, and of compliance programs with all regulations thatcontrol access to information. in an organization...Historically IAM was limited in scope and delivered as a function of operating systems. It has emerged asboth a business concern, and a broader field of technology, as business IT systems have developed froma collection of siloed systems into a complex network of interconnected systems, which are connected tosystems in partner organizations and to customers, employees and other users across the Internet. Thecomplexity of managing large numbers of users on multiple systems requires an automated and process-driven system to satisfy both the efficiency and security needs of the organization. CHAPTER 1: MANAGEMENT SUMMARY 11
  • Cloud services require IAM The adoption of cloud services by organizations places greater urgency on the need to deploy comprehensive IAM systems. When valuable information is placed in a cloud, the access controls to the system become the only protective layer for that information. It is therefore essential that the access controls to the cloud service are maintained in a state that is consistent with the corresponding access controls in the data center. The cloud service provider can and should be seen as a business partner. IAM must recognize the diversity of users Mobility, whether between workstations within a building such as a hospital or factory, or between working locations, requires IAM to provide an easy to use and consistent user experience. Automated processes, extending beyond the enterprise walls, require a pervasive access control mechanism that recognizes corporate entities and other processes as having equivalent access control needs to those of human users. Business issues The business case IAM is a key issue for the business. Implementing a system represents a major investment and its deployment will require changes in business processes to capitalize on its benefits. However, successful projects provide a high return on investment and a payback period of less than two years is frequently achieved. IAM is a useful, if not absolutely essential, tool for satisfying the more demanding regulatory and compliance requirements. It provides the audit and reporting functions to determine, with a high level of confidence, who has done what with critical information. The business benefits of IAM come in two main categories: productivity/ease of use, and security. In the efficiency category, we can list: Reduced cost of administration due to automated approval processes, synchronization of permissions, and user self-service functions, including password resets that typically account for 25% of IT help-desk workloads. Single sign-on (SSO) to raise end-user productivity by providing quicker access to systems, and reducing the burden on users of having to manage multiple sets of credentials. People who use several systems, or work from workstations in multiple locations, can save substantial amounts of time in a typical day. Improved experiences for external users, leading to more business, and better collaboration with business partners. From a security perspective, good quality and effectively deployed IAM provides: Rapid and accurate provisioning and de-provisioning of users, minimizing unauthorized access to information and processes. The opportunity to adopt more secure forms of identification and authentication, including two-factor authentication, further enhancing access controls. Full audit and logging capability of user sessions on corporate systems. IAM is a means of implementing business strategy insofar as it relates to IAM is a means of information processing. The issues of who the business needs to work with, implementing the level of automation that is required in these interactions, and the depth business strategy of trust between organizations, are represented in the IAM configuration insofar as it relates and deployment. Internal issues also have a major impact on the architecture of IAM systems, such as employee mobility, integration of IT to information systems following mergers and acquisitions, and the way in which processing. compliance obligations are met.12 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Running a successful IAM projectIAM projects are neither quick nor cheap. It is therefore essential that theyhave the wholehearted support of senior management and that this support IAM projects areis sustained throughout the project. Project managers can help to sustain neither quick northis enthusiasm by adopting a phased approach to the project, with clearly cheap.defined business benefits flowing from each phase. This approach alsominimizes both the technical and business risks, as design errors can be rectified before they becomewidespread.External identity on the InternetWe are now entering an era in which individuals can call up “Internet identities” that carry a level ofassurance that we do not have with the self-asserted identities that are almost universal on the Internettoday. For the business, this will open up new ways of communicating with customers and others thatdo not have a strong existing relationship with the organization, at a lower cost than pre-registeringthem with the organization. While this prospect is still at an early stage of its evolution, standards worklargely promoted by the US government provides a basis for identity services along with a potentialbusiness and liability model.Organizational issuesFederation technologies have to align with business relationshipsIdentity federation technology allows organizations to work together, with individual users beingidentified and held responsible for their actions across all of the collaborating entities. It avoids the needfor replicating user registration in each organization by regarding their employer as the authoritativesource of information about them. It also ensures that any changes in their status are immediatelyapplied across the whole eco-system.The technologies available for identity federation reflect the business structures to which they areapplied. Traditionally the most deployments have been to a “hub and spoke” model in which the keyorganization federates to several of its partners such as its suppliers or channel partners. This modelalso works well between a company and the subsidiaries it has acquired or created. More complexwebs of collaborating organizations can be supported with “claims-based” networks, and managedservices are appearing to simplify the deployment of federated networks.Taming the super user Computers, networks and applications have traditionally been managedA comprehensive through an account called “administrator” or “super user”. The requirementIAM suite will for 24 x 7 operation has led to several people having access to thisprovide a means of account. Across a large organization, with thousands of servers andsecuring and hiding applications, there has been a proliferation of privileged and effectivelyall super user anonymous accounts. This has created a nightmare for both security and compliance officers.accounts... A comprehensive IAM suite will provide a means of securing and hiding allsuper user accounts and assigning administrator privileges to the individual users who are authorizedto perform these roles. This ensures that they are monitored and held responsible for all the actionsthey perform in this mode and deals with segregation of duty issues.The extended enterpriseIn addition to integrating the management of partner organizations, IAM helps to define who workswithin an organization. Human resources departments are often only concerned with permanentemployees, whereas IAM systems have to provide for all users. Even the payroll department has norecord of contractors who are paid, directly or indirectly, through the purchase invoice system. CHAPTER 1: MANAGEMENT SUMMARY 13
  • IAM systems can be integrated with physical access systems, enabling physical and logical access to be controlled through common credentials and providing an extra channel of authentication by correlating system access with physical location. When this approach is adopted, the IAM registration process has to be extended to include all people who are entitled to enter the premises, irrespective of whether they use IT systems. Technology issues The scope of IAM IAM systems are technically complex, comprising the following functions: enrolment of users provisioning/de-provisioning of access rights to users, in accordance with corporate policies role management routine user administration, including functions such as issuing credentials and password reset access approval and revocation processes, and escalation of disputed issues identification and authentication of users, including flexibility to adapt authentication to match the appropriate level of business risk; an important part of this function is SSO functionality to a wide a range of resources by a single act of logging in to a workstation control of access to all information and process resources according to policy reporting and auditing of actions relating to access permissions and access usage acceptance of corporate entities and automated processes as “pseudo-users” facilitating usage of corporate resources by business partners and customers, according to appropriate policies and controls. IAM projects are based on IT and process integration IAM projects are mainly integration projects. The largest parts of the work in an IAM deployment project are in configuring the system to reflect the business, and in integrating the components of the system with the infrastructure of the organization. A major factor in selecting an IAM suite is its fit with the existing technology in the organization. SSO requires the IAM system to be integrated with each platform and application that it is required to support. Vendors provide connectors to some common applications with their product, while other assets will require bespoke connectors using APIs. In many cases these can be bought from third parties. The foundation of every IAM system is one or more corporate directories, and most support Active Directory and any Lightweight Directory Access Protocol (LDAP)-compatible directory. Organizations will want to automatically move existing user registration information from existing data stores, which may be either directories or files. The ability to re-use existing configuration data will significantly affect the duration and cost of the IAM project. The task of integrating with external organizations, including cloud service providers, has been made easier since the industry moved towards a common set of supported technologies. In particular Microsoft’s acceptance of claims-based communications, including the use of SAML assertions, has removed a major stumbling block to federated working. Integration is a two-way activity and today the level of integration offered by cloud service providers is limited, but this situation will improve. Administration and workflow Identity administration tasks can be complex, particularly when authorization requires the participation of multiple asset owners. IAM tools should provide a workflow-based configurable process model. It is advantageous if this workflow engine is open and allows the integration of IAM processes with wider management processes, so that provisioning can be seamlessly and automatically incorporated into other management activities.14 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Market issuesThe market for IAM products has undergone substantial consolidation. The market for IAMWhile many specialist vendors remain serving individual parts of theproduct spectrum, the number of comprehensive suites is limited. Most of products hasthe providers are the major IT vendors. They have continued to acquire undergonespecialist vendors to fill gaps in their product range, with the result that they substantialnow have almost completely covered the required range of functionality. consolidation.They can still be differentiated in terms of how well individual componentsin their suite meet the needs of an organization, but the major area of differentiation is in their level of integration with the wider IT environment. As the implementation of IAMThe emergence of projects is largely a consultancy exercise, channel partners are also an important factor in selecting a vendor.identity providerservices on the The emergence of identity provider services on the Internet will provide aInternet will new area of opportunity for businesses. However more work needs to be done to establish a business model for such providers. The value of servicesprovide a new area to the relying parties who will use the services is clear. The only conceivableof opportunity for revenue model is one in which the relying party pays the identity provider,businesses. most probably with a per-use payment. Providers could charge according to the level of assurance of each identity. One obstacle to the development ofthis market is that the main candidates for providing such services are organizations (such as banks) thatdo not see being an identity provider as one of their core business concerns. The other major obstacleis the need for a limited liability model that meets the needs of both sides.RecommendationsRecommendations for enterprisesEvery large, and large-medium, enterprise needs an IAM system to enhance its operational efficiencyand to improve its security and compliance posture. Smaller organizations should review their particularcircumstances.IAM projects are about business process automation and need to be approached from a businessperspective. IAM deployments need to be carefully planned, and deployed incrementally. Most of themajor vendors provide a comprehensive coverage of the solution space, but some are easier to useand to integrate with existing infrastructure. An IAM project is mostly about integration with the ITinfrastructure and with business processes. These are the areas that need most attention.Recommendations for vendorsIAM is one of the most strategic areas of corporate IT. Success in the IAM sector will place a firm in astrong position to influence corporate-wide IT policy.IAM is an essential companion to information protection, and both technologies have enhancedbusiness value when they are deployed together. IAM is never an island, and integration andinteroperability with the wider environment are primary product differentiators. Focus on ease ofdeployment and flexible use.The Ovum IAM Decision MatrixThe Ovum IAM Decision Matrix explores the competitive dynamics within the IAM security market andis designed to help organizations make informed choices among the leading offerings. It presents aview of the market based on three factors: technology assessment, user sentiment, and market impact.It offers a snapshot view of the market as it stands today, and indicates those vendors that, in Ovum’sopinion, organizations should shortlist, consider, or explore. The results of Ovum’s in-depth researchare summarized in the following table. Vendors are listed in alphabetical order within each category. CHAPTER 1: MANAGEMENT SUMMARY 15
  • Rating Company/Solution Ovum Opinion CA CA’s IAM portfolio is among the most CA Identity and Access comprehensive in the IAM space. The company’s Management Suite current IAM positioning focuses on “content aware identity management”, which incorporates IAM, data loss prevention (DLP), and governance, risk, and compliance (GRC) integration. IBM IBM is among the largest and most successful IBM Tivoli Identity and Access vendors in the IAM space. Its coverage includes Management Products enterprise and web SSO, user provisioning and role management, password management, access control, and federated identity management services. Shortlist Novell Novell Identity Manager 4 provides a Novell Identity Manager 4 comprehensive suite of IAM products. Novell Advanced Edition delivers an enterprise-class IAM product set that has the scalability and high availability required to deal with large, complex, and diverse operating environments. However the company’s market impact is significantly lower than that of its main competitors. Oracle Following its acquisition of Sun, Oracle has become Oracle Identity and Access even more of a market leader in the IAM space. It Management Suite (release has a strong presence across all traditional IAM 11g) markets including financial services, healthcare, and the public sector and its geographic reach is also extensive. Oracle provides a very comprehensive set of IAM capabilities with a good focus on enabling customer usage across all available platforms. Evidian Evidian delivers a near-full suite of IAM products. Evidian IAM Suite (version 8) However, the company’s influence remains largely restricted to European markets. It provides a good range of enterprise and Web SSO, user provisioning, and access control services, and strong support for standards and authorities. Hitachi Hitachi is not a strong contender in web access Consider Hitachi-ID Portfolio management or the web and enterprise SSO markets. It does, however, provide good quality user provisioning, access control, and password management services, and is respected for its privileged user management capabilities. Microsoft Microsoft’s impact on the IAM market continues to Microsoft Forefront Identity grow. It is well respected across enterprise and web Manager 2010 and SSO, user provisioning, password management, Associated Products access control, and federated identity management dimensions. It is seen as a low cost provider of IAM technology and a supplier that small and medium enterprises (SMEs) are likely to turn to as their first IAM provider. Continued on the next page...16 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • ...continued from the previous page. Rating Company/Solution Ovum Opinion Entrust Although SSO and provisioning services are Entrust IdentityGuard, provided by third-party partners, Entrust remains a GetAccess, & strong contender in the authentication and fraud TransactionGuard management space. It also exhibits good password Explore management capabilities. RSA RSA is the authentication market leader and RSA Identity & Access partners with Courion for provisioning and role Management management. Across security areas adjacent to IAM such as security information and event monitoring, DLP, and GRC, RSA is strong and active. However, the growth in its overall IAM capabilities has failed to keep pace.1.2 Report objectives and structureReport GuideThe report is aimed at chief information officers (CIOs), chief security officers (CSOs), IT managers,business strategy managers, business analysts, system architects, development managers, and othersenior decision-makers in both IT and the business.Chapter 2: Business and technology issues in IAMThis chapter summarizes the content of this report and provides a deeper insight into the need foridentity and access management (IAM). It focuses on the delivery of IAM projects, their scalability andcomplexity issues, and the corporate investment required. It addresses the requirement to improvebusiness processes, the need to support the use of cloud-based services and the growing requirementto be able to federate identities between organizations. It also considers the changing vendorlandscape, which continues to be rationalized.Chapter 3: Identity and access management and complianceThe deployment of IAM is a vital component of any enterprise security strategy. It provides thefoundations for controlling who has access to operational information systems, and as such alignstechnology-based controls with business and operational rules and access policies. Improving theorganization’s security position helps towards achieving regulatory compliance. Domestic, industry-related, and international regulations all have an impact on the actions that companies must now takein order to be compliant. IAM solutions should not be purchased just to help tick compliance boxes.However, the value of the technology to businesses brings together important efficiency improvementssuch as providing streamlined access to systems, delivering efficient user provisioning and rolemanagement services, and providing the ability to accurately control and report on user access rights.Chapter 4: Identity services in the cloudToday identity continues to reside mainly in individual websites with little or no interaction between them.Users have to identify and authenticate themselves to each site or service in order to gain access. Also,once users have given personal information to a site, they have no control over how the information willbe used. Site operators have very little confidence in the accuracy of the information they are given. Anidentity infrastructure that works across sites must be based on policy and semantic interoperability. Wealso require standards that go beyond syntactic and semantic levels and embrace business processissues such as assurance, privacy, and liability. They must be both privacy-enhancing and cost-effectivefor both users and website operators. An interoperable identity infrastructure that would be recognizedat multiple websites would provide a major advance towards a truly connected world. CHAPTER 1: MANAGEMENT SUMMARY 17
  • Chapter 5: Federated identity The use of technology allows businesses to run lean and efficient supply systems. To support the approach, organizations rely on all required components being available at the optimum time. Having full visibility of stock levels, product delivery dates, new pricing tariffs even when that information is the property of a partner organization, adds real value to decision-making processes. Federated identity management technology can be used to create local, as well as global, interoperability between online businesses and trading partners using agreed identity management approaches. Utilizing a SSO approach, allows users to move between business systems of their own organization and beyond corporate boundaries to access third-party systems. Chapter 6: Technology comparison The technology comparison chapter presents Ovum’s view of the leading IAM vendors and their technology solutions. It includes feature comparisons of the technology along with decision matrix information on the vendors and market analysis information. The features matrix presents a side-by- side view of vendor technology capabilities in their existing product ranges. The decision matrix groups vendors into one of three categories (‘shortlist’, ‘consider’, or ‘explore’), and backs this up with a detailed view of each vendor in terms of technology assessment, market impact, and end-user sentiment. Chapter 7: Technology Audits The Technology Audits chapter contains in-depth evaluations on the latest product releases from nine of the IAM sector’s leading providers. Chapter 8: Vendor profiles The vendor profile chapter contains profiles of IAM vendors whose products Ovum considers to be important to the delivery of the core components of an IAM strategy. In many cases these are vendors with best-of-breed products that cover one or more core areas of IAM or provide complimentary services that integrate with IAM. Chapter 9: Glossary This chapter contains a glossary of technology terms that are used in the report. Chapter 10: Appendix This chapter contains information about additional reading and the methodology used for this report.18 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 2: Business and technology issues in IAM WWW.OVUM.COM
  • 2.1 SummaryCatalystThe extended enterprise needs a comprehensive identity layer. Identity and access management(IAM) is an essential tool for compliance and a key component of information protection in opencollaborative working. More than this, however, it is a productivity tool enabling tighter workingpractices, collaboration, and automation of some error-prone, laborious processes.Ovum viewIAM is a business issue, and projects must be driven by business priorities. However, many otherfactors need to be taken into account, and a lot can be learned from organizations that have completedsuccessful projects. Future proofing must be built into deployed systems. IAM is an idea whose timehas come, as it can be considered a strategic component of adopting cloud services.Key messages IAM projects are large-scale investments. Business processes need to be overhauled. Cloud services add urgency to the need to federate identities between organizations. The vendor landscape has been rationalized.2.2 Identity and access management projects arelarge-scale investmentsBusiness strategy must drive technological decisionsIdentity and access management is a business process. The requirements The requirementsfor handling identities and the use that is made of these identities aredetermined by how the business wishes to operate. IAM is a fundamental for handlingpillar of security strategy, while the security and regulatory requirements identities and thethat the business has to satisfy are also determined by business, rather use that is made ofthan technological considerations. It is the job of technologists to meet these identities arebusiness needs. Business leaders must specify their requirements. determined by howIAM systems link organizations, and inter-organizational relations must be the business wishesdriven by business managers. The level of buy-in from these associated to operate.organizations will depend on the configuration of the chosen system. Theconfiguration can range from a close two-way federation of their respectiveIAM systems to a more basic arrangement that allows employees of the partner organization to use theprimary party’s resources as external users. However, any level of inter-operation requires a businessunderstanding of the status and assurance level of the other party’s identity credentials and acommitment from both parties to keep their identity bases up to date. Both of these require business-level convergence. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 21
  • IAM systems change the way in which users interact with IT systems. Provided that the system is well- designed, these changes should have a positive impact on the user experience. Security will certainly be enhanced. However, access will be restricted in some cases and this may block some established working practices, particularly where roles are not well documented or IAM systems change understood. The business must be prepared for these inconveniences and the way in which have a method for rapidly resolving issues as they arise. users interact with IAM projects are large and costly. Without substantial business buy-in at IT systems. the highest level they will not be completed. They have to be integrated into business processes, which will inevitably disrupt the business process to some extent. The process owner must be an enthusiastic supporter of the IAM project to ensure the necessary commitment through this stage. A rough estimating rule is that buying professional advice and assistance is likely to cost five times as much as the technology. The “identities” in IAM systems mostly relate to people. (Some systems may also manage systems, processes, and corporate entities.) They contain personal information that is subject to privacy legislation, and organizations that do not have IAM practices that meet all legal requirements risk substantial penalties. Therefore, a technical failing One way to reduce within the IAM system can have substantial business-level repercussions. risk and maintain This risk increases when an IAM system integrates silos of information that previously only existed within small systems in departments. business commitment to the One way to reduce risk and maintain business commitment to the project is to roll out IAM incrementally, delivering real business benefit at each project is to roll out stage and starting with “low-hanging fruit.” Fortunately, IAM is well suited to IAM incrementally... incremental rollout by dicing up according to organizational units, systems and applications, and user groups. The majority of the cost of a project goes into the configuration, data acquisition, and process definition aspects, rather than into technology acquisition. This makes an incremental rollout viable. Ultimately, the business and political issues are significantly more challenging than the technology issues involved in IAM projects. The project is about managing people, not user accounts. The benefits of IAM IAM delivers many business benefits, ranging from good governance through security, improved user experiences, and productivity enhancements to cost savings. While every IAM project is different, it is realistic to aim for a project whose benefits will pay for the project within 18 months. A comprehensive, enterprise-wide project will typically take longer to recover its costs as it embraces aspects with a lower return-on-investment, but organizations can configure a project to fit a required rate of financial return. IAM systems can enhance user experience and productivity. Single sign-on While every IAM (SSO) to multiple platforms and applications removes the need for users to project is different, remember different user IDs and passwords, which they often feel they it is realistic to aim have to write down. It avoids the irritation and wasted time of having to for a project whose repeatedly re-authenticate information to the system. benefits will pay for IAM systems automate the provisioning process for new users and users the project within 18 who take on new roles. The time required for the provisioning process is months. typically reduced by 90%, from days to hours. The new user is therefore able to become productive much more quickly. This is particularly significant for contractors and short-term hires, for whom the provisioning time can significantly add to employment costs. Identity federation allows the provisioning of a user in one environment to extend to collaborative environments immediately and automatically. Moving forward, IAM will be at the heart of open-enterprise computing.22 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • The direct financial savings of IAM come from the automated provisioning and The direct financialde-provisioning capabilities and reduced IT helpdesk workloads. Typically savings of IAM come25% of IT helpdesk workload is eliminated due to the much-reduced numberof forgotten password calls. Many IAM tools provide self-service password from the automatedreset capability, which can further reduce the password-related workload. provisioning and de-Process improvements in the areas of access request consideration and provisioningapproval and periodic reviews of access permissions deliver further savings. capabilities andIAM is an essential element of corporate reduced IT helpdesk workloads.compliance and securityOrganizations should deal with compliance as part of their operational infrastructure. For example, theSarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) requireIAM provides organizations to restrict and monitor access to sensitive information. IAMauditable policies provides auditable policies and a control framework that addresses many requirements of compliance. Many aspects of compliance require anand a control organization to control who can perform certain functions to reliably monitorframework that who does what, and to raise the consistency of process performance.addresses many When used in conjunction with logging tools, IAM can provide a wealth ofrequirements of information about who did what and when. Logging tools need the strongcompliance. and accurate access control tools provided by IAM to be certain that the reported user was the actual user. Four aspects of the benefits of IAM are: Access rights can be more closely aligned to roles and responsibilities. Traditionally IT users with administrator-level privileges can do almost anything on the systems on which they enjoy these privileges. Furthermore, because of the need to keep systems operating 24×7, several people are often given administrator rights to each system, sharing the same user credentials. This creates the perverse situation in which the most privileged users are not subject to personal accountability for their actions. The better IAM systems can block all anonymous systems access, restrict all administrator-level access to sensitive data, and provide separation-of-duty controls. The ability of IAM systems to automatically remove access rights from leavers and employees who move on to different roles blocks one major category of inappropriate access to systems. This de- provisioning function is one of the most important security functions of an IAM system. IAM systems can give much faster and easier login to systems, removing the very real temptation for users to share sessions on machines in common access areas, and hence provide a level of personal accountability for user actions. The value of this feature is seen in hospitals with the access patient records and in financial dealing rooms. ...IAM can enhanceThese benefits also help raise the security of corporate systems.Additionally, IAM can enhance security by bringing in stronger security by bringingauthentication systems than were previously available. Traditionally in strongerauthentication is built into platforms, systems, and applications and offers authenticationlittle scope for changing the default mechanism. IAM systems can allow the systems than wereflexibility to adopt different forms of authentication, use two-factor previouslyauthentication, and even vary the level of authentication according to thecurrent characteristics of a session or the business being transacted. available.These security enhancements are essential to satisfying e-governance requirements because theassociated reporting is meaningless without personal responsibility. Data loss prevention (DLP)systems are similarly hamstrung without a reliable indicator of who is handling a piece of information.The combination of IAM and DLP is particularly powerful, and can be configured to implement dataprotection policies that are appropriate for specific countries, for example. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 23
  • How to run a successful IAM project The key to success in an IAM project is to focus on the business issues. Too often they are technology- driven and fail as a consequence. We have already discussed the importance of getting buy-in and commitment at the highest levels of the organization. The next prerequisite The key to success is to know your users and understand what they do and how they do it, in an IAM project is remembering that actual practice may have diverged from theoretical processes over time. If the new IAM-related processes do not fit with to focus on the business practices, the project will fail. business issues. The aim should be to introduce the maximum amount of automation into the processes. This will win the support of key business movers as well as providing the necessary payback. When selecting products, ease of management should be a key consideration. The selected product should enable you to specify each change in access rights or processes once, and have it rolled out across the enterprise automatically and consistently. Pay particular attention to any pain points in the existing processes and ensure that they The IAM system are mitigated in the new system. should be capable of The IAM system should be capable of seamlessly and effortlessly seamlessly and incorporating any changes in employee working practices, particularly effortlessly relating to flexible working and homeworking. It is likely that within the incorporating any lifetime of the IAM system the organization will have moved some way towards allowing employee-owned endpoints, and that virtual client changes in technology will be widespread. employee working We have also mentioned the importance of cross-enterprise working in practices, modern business. External users need to be deeply integrated into IAM in particularly relating a form of federation. However, there are different federation architectures to flexible working and it is important to choose the right one, considering future changes that and homeworking. may occur in the way the business operates. The main choice is between a “hub-and-spoke” configuration in which the central player takes the main role in establishing bilateral relationships, and a many-to-many model in which a central federation service negotiates claims by people who require access to any organization in the network. Above all, when you are ready to implement the IAM system, adopt an incremental rollout and review the success of each phase as you go, refining the details to resolve issues that arise. Incremental rollouts reduce the capital risk by partitioning the project budget, and allow proven economies to be recognized as justification for following phases of the project. They also help to win support for the project. In particular, SSO has to be configured to accommodate each application, platform, and service that it embraces. These targets can be implemented in batches. Incremental rollout and pilot projects can also be used to validate the processes that are being defined within the It is important not to IAM system – for example, to remove bottlenecks in the approval process. overlook the need to Use existing identity stores to avoid unnecessary reinvention of the wheel. educate users 75% of enterprises will find that their Active Directory (AD) will give them before they are the bulk of their required configuration file. However, all imported data brought into the should be reviewed for currency and accuracy to avoid perpetuating bad practices. scope of the IAM system. It is important not to overlook the need to educate users before they are brought into the scope of the IAM system. It should not be assumed that the new working methods will be self-evident. It is also a good idea to communicate with users during the implementation phase and afterwards as the system is extended and improved. There are complex issues involved in extending the IAM system to customers and others who are not employed by either the organization or its federated partners. In particular, there is the question of what information about each person needs to be held in the system. Within the workplace, a person’s identity is usually primarily about the roles they perform.24 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • For external users, identity is about their relationship with the organization. For customers this couldinclude their payment information, relationship history, and identity assurance requirements. Eachsituation brings its own requirements, and the system needs to be designed around them. External usersshould not be regarded as “pseudo-employees” because this approach will not deliver the requiredsecurity level or meet business requirements. For example, there is no defined “leaving” process forexternal users that could trigger their de-provisioning. External users have particular needs for controls onthe disclosure of their attributes that are held in the system, because this information tends to be personal.2.3 Business processes need to be overhauledManaging non-employees in the workforceIAM systems provide a single central authority managing the identities of IAM systemssystem users. This is in itself a culture shock for many organizations in provide a singlewhich the management of contract and temporary staff is often handled atdepartmental or project level, with little reference to the HR department. central authorityThe accounting department, with its responsibility for payroll, is often closer managing theto being the global authority of current workers. However, in some cases identities of systemstaff may be paid locally or through the invoice process, rather than through users.the central payroll.The IAM system often has to manage access for workers employed by subcontractors on site who arenot covered by any direct payment system. In some organizations volunteers work on the companysystem. The group of people who are entitled to be in the building and use the IT system is often muchwider than the current employees. All of the issues surrounding access rights management are magnified manyAll of the issues times when looking at user accounts with administrator privileges.surrounding access Administrator accounts are, by default, all-powerful and anonymous. Eachrights management platform, system, and application may have an administrator to manage it and keep it in good health. As work needs to go on around the clock, severalare magnified many people need to have these powers to ensure that at least one will be availabletimes when looking when needed. Business systems run across many servers and applications.at user accounts This leads to a proliferation of administrator accounts. For example, Ovumwith administrator knows of one organization that has 86,000 users and 100,000 administratorprivileges. accounts. The anonymity of administrator accounts makes it impossible to assign personal responsibility for the actions of such users. We look to IAM systems to “hide” the administrator accounts and only allow users to exercisethem after they have logged into the system as a normal user and through the IAM system itself. The accessrights to information held within the system can also be restricted through theIAM mechanisms. These opportunities should be exploited. Although using Removal of userexternal IAM services is an option that many organizations have successfullyexploited, particular sensitivities about outsourcing the management of rights and de-administrator accounts need to be considered. provisioning of users who cease toLeavers work for theRemoval of user rights and de-provisioning of users who cease to work for organization makethe organization make up one of the most important functions of the IAMsystem from a security perspective. However, integrating this apparently up one of the moststraightforward task into business processes can be complex. Whereas the important functionsarrival of a new employee is a single-step process, their departure is long and of the IAM system...drawn out, going through several stages. In the simplest case the departureprocess is triggered by the employee’s resignation. Their leaving date should then be known, but may notbe cast in concrete at this stage. They may have more restrictive access rights at stages during their noticeperiod. With redundancies or disciplinary procedures, the process becomes much longer and morecomplex. These processes all have to be captured within the IAM system, and each change in the statusof the employee must be recognized in the system immediately. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 25
  • When we consider volunteers, subcontractors, and other non-employees in the system, the process becomes even more confusing. What event signifies or triggers the user’s departure? How is this communicated to the IAM system? Do subcontractors retain any residual maintenance functions after they finish their period on site? One possible approach to this problem is to re-certify the access rights of all non-employees periodically, but this may place an unacceptable burden on managers. Mergers and acquisitions Mergers and acquisitions place a heavy burden on IT administration. The consolidated business will be working towards a single comprehensive IT infrastructure to achieve economies of scale and rationalization. However, this is only achievable at a reasonable cost if it is a long-term objective. In the meantime, there is a need for a convergence strategy that will enable The easiest way to interoperability and start to realize cost savings. A unified IAM system should be at the heart of the convergence strategy. embrace diverse infrastructures The easiest way to embrace diverse infrastructures immediately is to federate the parts using an identity federation tool. This avoids the need to immediately is to enroll a user in both parts of the organization, and can provide the basis for federate the parts SSO across the enlarged enterprise. This scenario is a relatively simple using an identity scenario for deploying identity federation as there are no issues federation tool. surrounding inconsistent standards of identity assurance to resolve. In this scenario, the deployment team can focus on the technical issues. Moving forward, the business will want to increase the level of convergence towards total unification. The IAM system should allow the move to be made incrementally, with federation technology ensuring that users retain their necessary access permissions on both sides of the merged organization. 2.4 Cloud services add urgency to the need to federate identities between organizations Use of cloud services requires corporate identity to be externalized Many organizations are using or planning to use cloud services. The issues surrounding access control are particularly important for cloud services. Public cloud services are accessible to anyone on the Internet, with only the access control mechanism between the corporate intellectual property and the outside world. Services implemented in a so- Many organizations called “private cloud” on the corporate Intranet are also relatively open to unauthorized access. are using or planning to use Access control to cloud services has two main requirements: cloud services. User authentication has to be strengthened to reflect the ease of access to the service portal and the value of the information and processes behind that portal. The directory of authorized users of the service has to be kept up to date. It needs to be automatically synchronized with the internal corporate IAM directory to be both secure and efficient. Access control based on user IDs and passwords held within the cloud service does not meet either of these requirements. The best option is to configure the cloud service to accept assertions from the corporate IAM system as the only means of gaining access to the service. The user experience would require the user to log in to the corporate system and then enjoy an SSO transfer to the cloud service when required during their session. The strength of authentication is determined within the internal IAM environment. A possible compromise is to configure the service to use an assertion from the corporate system as a second authentication factor. This can deliver most of the security benefits of full integration, but it does not give the user seamless access to the cloud service or perform automatic provisioning and de-provisioning.26 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • While this discussion represents current best practice, regulators and legislators lag behind technology.Organizations may find their options restricted by regulatory impositions. For example, financialservices regulators generally dislike passwords being shared between services. It remains to be seenhow they will react to a claims-based access regime, which effectively means using the same passwordas the user’s system login.Federation delivering benefitsThe early history of identity federation saw most deployments in configurations in which a centralorganization wants to improve collaboration with several of its business partners. Typically a largecorporation would want to tighten its relationship with its suppliers or channel partners. The two majorcivil airline manufacturers, Boeing and Airbus, both made extensive andsuccessful use of identity federation technologies, along with major The other area forautomotive manufacturers. which federationThe other area for which federation has delivered substantial benefits is has deliveredbringing together the parts of an enterprise following a merger or acquisition. substantial benefitsFederation is starting to move out into more diverse deployments, including is bringing togetherones in which there is a more flexible community of organizations than the the parts of anrigid “hub-and-spoke” configuration in the early deployments. Some of enterprise followingthese deployments are enjoying a simplified design by adopting themanaged federation services available in the cloud. a merger or acquisition.Even when federation services are used, the user identities are retained in-house. The common characteristic of all federated identity deployments isthat each user identity remains with the user’s employer, and the employer asserts their access rightsto the other partners when required. This ensures that other partners do not incur a user managementoverhead by participating in identity federation, as well as protecting the privacy of the individual.Technology issuesIAM usually focuses on controlling access to systems and information by human users. However, in thecollaborative and automated business environment that is emerging, the concept of identity needs tobe broadened to include corporate entities, computers, processes, services, and applications.Integrated cross-organization automated processes need to control access by all of these. These can collectively be described as “objects”, taking the terminology from theThe claims-based object-oriented programming world. Thus, IAM systems need to be able toapproach to inter- manage identities for any such object, and these objects need to have the means of identifying and authenticating themselves.organizationalaccess control is a The leading IAM suites available today are fundamentally architected to deal with objects of all types, but some of the user interface componentssound basis for need to be tailored to fit these broader concepts.moving forward. The claims-based approach to inter-organizational access control is asound basis for moving forward. Unlike some earlier protocols, it is scalable and flexible. Claims aresimple statements that can be composed into more complex requirement statements using the basicoperators in Boolean logic such as “and” and “or.” Using these avoids thesignificant administrative burden of maintaining access control lists. Many organizationsMany organizations find role management a particularly difficult task. Roles find roledefine sets of entitlements and are an efficient method for grouping employees management awho perform similar duties. Most IAM suites allow individuals to perform a set particularly difficultof roles. However, many employees perform tasks that are not identical to task.those of any other person in the organization, particularly those inmanagement or knowledge-worker fields. In these cases, roles become cumbersome and confusing. IAMproducts should allow administrators to combine role-based access permissions with additional individuallyallocated permissions, and should not force everyone into the role model. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 27
  • There is a divergence of opinion about whether IAM systems should manage both access to IT systems and physical access to facilities, or whether they should be limited to information system access. Cost and complexity are increased if physical access is included. However, the combined approach allows: The leveraging of identity credentials such as smartcards the use of a single identity directory, giving some economy security to be enhanced using a joined-up view – for example, physical presence can become an implicit authentication factor. However, a unified approach means that you will have to register everyone who works on site, even if they never use the IT systems – including cleaners and security guards. 2.5 The vendor landscape has been rationalized The vendor landscape has consolidated around big IT suppliers The vendors of the main IAM suites have been acquired by the big IT infrastructure vendors. In some cases, such as with CA, IBM, and Oracle, the vendor has made a number of small and large acquisitions over time to arrive at its current position. In contrast, some vendors such as Microsoft and Novell have largely built up their IAM offerings by internal product The vendors of the development. The current dominance of the market by the big players is a main IAM suites consequence of the central role that IAM plays in IT management and have been acquired delivering IT compliance. Organizations want to buy fundamental by the big IT capabilities from a strong vendor with which they already have a substantial relationship and whose IAM systems will fit in well with their IT infrastructure environments. The vendor landscape reflects the fact that IAM projects are vendors. “big-ticket”, long-term, and strategic. The trend towards big vendors has also been driven by the commercial The trend towards aspects of this market. Until recently IAM vendors found it difficult to make big vendors has also a profit in a relatively slow market. However, the consultancy work that went been driven by the with an IAM project was more lucrative. This encouraged vendors with commercial aspects large consulting practices to be active in IAM. of this market. A large group of vendors specialize in particular aspects of the technology, such as identification or authentication, clustered around the IAM suite providers. These include smartcard providers, biometric product vendors, and suppliers of a range of innovative authentication approaches. These products can interact with IAM suites using standard protocols such as the biometric application programming interface (BioAPI) protocols, supplemented with various amounts of bespoke integration work. Sun’s demise has provided the latest crumbs The club of IAM suite providers is now quite small and fairly stable. However, there have been two notable exits in recent years. In 2008, HP sold its IAM practice to Novell, which was already a major player in the space. In 2010, Oracle completed its acquisition of Sun Microsystems, including the latter’s IAM products. As both vendors had comprehensive suites, there is a lot of rationalization ahead, with most cuts falling in the former Sun portfolio. Oracle has provided an open The club of IAM path, allowing organizations that currently use Sun’s suite to migrate to its suite providers is products, in addition to incorporating a few Sun products into its range. now quite small and However, Oracle faces competition from Courion, which has also laid out a migration route for Sun users and is a strategic provisioning partner of RSA. fairly stable. As IAM is becoming increasingly strategic, both infrastructure vendors and security vendors that do not have an IAM offering are looking less credible in their fields. Most aspects of information protection require an awareness of who is accessing the information.28 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • The focus of security is to move from network security to information protection, throwing the spotlighton gaps in the vendor’s portfolio. At the same time the limited number of players limits the scope forpartnerships, which in most cases would be with a competitor. The number of potential acquisitiontargets is now small.Currently, we can only speculate on how vendors such as HP, Symantec, Cisco, and Intel/McAfee willrespond to the new market perspective.2.6 RecommendationsRecommendations for enterprisesIAM is a strategic project that needs a strong, long-term business strategy behind it. If the project isexecuted well it will deliver a high rate of return, both financially and in terms of improved governance.It must be driven by business considerations and supported by buy-in at the highest levels in theorganization, not least because it will require changes in business processes. Implementation is bestapproached in an incremental fashion.IAM is as much about working with partners and outsiders in the extended enterprise as it is about theinternal IT systems. Systems must be designed to accommodate any foreseeable expansions andextensions in the working realm.Cloud services are about to boost the importance of IAM in the enterprise. The cloud service providercan be regarded as an important business partner that needs to be brought into the federated identitynet.Recommendations for vendorsIAM is also strategic for vendors. It is a sticky technology that can reduce customer churn by lockingcustomers in to building processes around your technology. IAM is now more than just an opportunityto drive consulting engagements, and has become a cornerstone around which to build systemsmanagement, compliance, and security offerings. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 29
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 3: Identity and access management and compliance WWW.OVUM.COM
  • 3.1 SummaryCatalystThe use that is made of identity and access management (IAM) technology within the public andprivate sector is growing in line with the threat environment. Most organizations understand theneed to maintain control over who is allowed to access their information assets. They recognizethe negative impact that not having the proper identity management controls in place can haveon the organization and its reputation. They also appreciate that industry regulators have thepower to extract fines and impose sanctions when organizations fail to fulfill their complianceobligations.Ovum viewThe deployment of IAM technology should be seen as a vital component of an enterprise securitystrategy. The use of IAM is foundational to controlling who has access to operational informationsystems. Knowing which users are allowed to have access to which information systems and aligningcontrol with the operational rules and access policies improves the organizations security position andhelps towards achieving regulatory compliance.Domestic, industry-related, and international regulations all have an impact on the actions thatcompanies must now take in order to be compliant. IAM solutions should not be purchased just to helptick compliance boxes. The value of the technology to businesses ought to bring together importantefficiency improvements such as providing streamlined access to allavailable systems, efficient user provisioning and role management The deployment ofservices, and the ability to share systems access with authorized third IAM never was andparties. It should also address the need to protect the integrity of business-sensitive data; controlling as well as facilitating access for information users is not likely tohelps to reduce data theft and fraud. become an easy fixThe deployment of IAM never was and is not likely to become an easy fix for brokenfor broken operational structures. The implementation of the products can operationalbe complex and difficult to achieve and maintain. There have been many structures.examples of organizations that have struggled to gain business value fromthe technology, often because they have been unrealistic in their objectives, or have failed to gainproject buy-in at the highest levels of management. However, when an organization gets its IAMdeployment strategy right, operational improvement, continuity, and security benefits accrue and as aresult compliance and audit advantages become more achievable.Key messages IAM delivers services that are relevant to business improvement, continuity, protection, and compliance. Regulatory compliance has a demanding impact on most organizations. Audit adds urgency to the need for a better IAM infrastructure. Continuity and the lifecycle approach to managing identity delivers business value. Everyone needs to be accountable. Achieving and proving compliance is a key business objective. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 33
  • 3.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance IAM provides vital business services Organizations evolve and change as the demands of their operations grow or indeed contract. Competitive influences dictate that most businesses are constantly looking to improve their existing operations. A common theme Cost controls dictate that more must be achieved with fewer resources and that runs across always more efficiently. Automation, self-service, and a whole range of many business associated approaches are used to deliver improvements. Similar requirements is the demands are placed on continuity requirements, such as the need to efficiently deliver corporate services while remaining fully protected and, need to make use of importantly, achieving the above objectives without falling foul of IAM to understand compliance regulations. and control who has A common theme that runs across many business requirements is the need the right to access to make use of IAM to understand and control who has the right to access our systems... our systems, what use they can make of that access and where they are allowed to gain access from. As such, it is no surprise to find that IT administrators struggle to keep pace with the need for change and at the same time maintain a balance between the organization’s desire to improve its operations and its need to remain secure. IAM can be used to improve service delivery – but beware Business improvement, efficiency savings, and the sometimes conflicting need for operational continuity are often addressed through an attempt to deliver an increased level of automation. This usually involves growth in the use of self-service and online facilities. For IT administrators working with IAM systems, there will be a need to improve service efficiency and deliver automated user provisioning, authentication, and access control services that meet the self-service requirements of the business and its users. Since the earliest Active Directory (AD) and associated Lightweight Directory Access Protocol (LDAP) management systems made their way onto the market, the value to business of controlling users has been widely recognized. That is not to say that technology associated with the management of identity that we conveniently bundle under the IAM label has always been particularly successful in achieving these objectives, but at least the opportunity has been there. For many organizations the struggle continues, and for those that have Organizations have deployed fully-featured IAM solutions or selected components of IAM the gone into identity resulting benefits have often been less than impressive. management Problems have occurred for a number of reasons. Some are directly projects without a attributable to the vendors and the solutions that they deploy being too clear enough vision complex and impractical. Others fall squarely at the feet of end-user of the ultimate organizations that have not fully understood the internal commitment that objectives, or have successful IAM projects require. Organizations have gone into identity simply tried to do management projects without a clear enough vision of the ultimate objectives, or have simply tried to do too much too soon. too much too soon. In such cases, IT has had to either go back to the basics of locally managing identity directories or starting up second- or even third-generation IAM deployments.34 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Controlling identity and user access is vital Controlling andMaking use of IAM technology to achieve business improvement and maintaining ease-continuity benefits and, at the same time, remaining secure and compliant of-access toinvolves the deployment of good quality IAM services that are also easy to information systemsuse. The objective is to identify and control authorized users and providesystems access whenever and from wherever access is demanded within is vital to achievingthe rules of the organization. business success.Controlling and maintaining ease-of-access to information systems is vital to achieving businesssuccess. At the same time, those elements of control that ensure that unwelcome visitors can berejected and the compliance components used to scrutinize how access to business-sensitive systemsand their data is controlled must also be maintained.Business improvement and compliance objectives need to beaddressed A driving force behind the use of technologies such as IAM is theA driving force competitive nature and efficiency demands of business organizations. Inbehind the use of many organizations, changes to business operations continue at a fasttechnologies such pace; updates and additions to user communities, operational work groups,as IAM is the and project teams can be just as dynamic and, as such, need to managed as efficiently as possible.competitive natureand efficiency Without the structure and management components that IAM provides,demands of organizations will struggle to keep pace with the maintenance overheads needed to ensure that users and the data controlling their access rights arebusiness kept up to date. Integrated IAM is required to support business improvementorganizations. and at the same time to ensure that compliance objectives are not ignored.3.3 Regulatory compliance has a demandingimpact on most organizationsOrganizations need to deal with compliance as part of theiroperational infrastructureMaintaining regulatory compliance and ensuring that the operations of an organization remain within therequired parameters involves combining the use of good technology controls, ensuring that systemsusers are responsible for their actions, and putting controls in place that are both usable and effective.Depending upon the industry and geographical location of the business, different regulations, rules, andinterpretations of compliance mandates apply. The Sarbanes-Oxley (SOX) Act, while not forcing the useof specific security products, takes in the requirement to be able to maintain the validity of corporateinformation and control who has access to it.Where there is commonality for rules and processes that can be applied to specific regulations such asthe Payment Card Industry Data Security Standard (PCI DSS) for the handling of financial data or theHealth Insurance Portability and Accountability Act (HIPAA) in the healthcare sector there is theopportunity set up and make available common operational processes.For example, PCI DSS dictates that where sensitive data are being processed or held, those data needto be encrypted; the rules and regulations also determine how long and under what circumstancesthose data can be held. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 35
  • What organizations must do to ensure that they do not repeatedly fall foul of regulations that have already been addressed is to make sure that the information that they hold cannot be subverted during normal operational activities. Information relating to customers, citizens, A fundamental finances and so on may be held legitimately. That said, if access to requirement for the sensitive information is not continuously controlled then all the compliance efforts that have gone before count for nothing. protection of sensitive data A fundamental requirement for the protection of sensitive data involves controlling who has access and influencing what users can do with data involves controlling once access has been granted. Importantly, it must also involve having the who has access and knowledge and information required by the company’s auditors to be able influencing what to prove that the right user controls were applied. users can do with In an ideal world the demands of the chief information security officer would data once access has be for reliable, accurate, auditable IAM controls that safeguard and been granted. manage all access to key business systems and the sensitive data that they hold. Realistically, however, we have to accept that restrictions will be placed on what can be achieved, because of What ought to be the costs involved and IT budget restraints. considered is how IT What ought to be considered is how IT can make better use of the IAM can make better use facilities that they already have in place, how the operational use of user of the IAM facilities authentication and access control facilities can be aligned to the acceptable that they already risk profile for the organization and how IAM can be used to improve the security and compliance profile of the business. have in place... Addressing the compliance challenges and drivers Properly deployed IAM services deliver usability for an organization’s authorized users and invoke controls that help to maintain security and compliance. The requirements of the organization should include achieving full control over user access rights and, in doing so, providing the audit trail and management reporting facilities that prove that control is being maintained. This involves the use of stop-and-block controls, but ought to also include the use of warnings, alerts, and reports that are delivered to the appropriate authorities when suspect activities take place. Starting operational compliance involves having the ability to record all identity-related events, which includes both accepted and rejected access attempts. It involves making effective use of technology to automate the controls that are needed to allow or deny access, to detect and report on wrongdoing, and to deliver corrective actions. Some of the latest Some of the latest access control and systems management problems that access control and organizations face involve external influences. These originate with both systems the business partner organizations and users that need to be controlled and the mixed operational environments that need to be supported. IAM management has to be capable of working on behalf of mixed user groups across mixed problems that physical, virtual, and cloud based operations. organizations face The requirement involves the ability to maintain control. Specifically, it is involve external about managing the provisioned rights of users to ensure they are kept up influences. to date and that all de-provisioning elements are also effectively addressed. For leavers and users whose role within the organization has changed, this is a particularly important issue. Included within this area is any separation of duties that needs to be applied. This specifically includes access controls that are focused on privileged users, with the intention of ensuring that all user entitlements are proportionate.36 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Addressing specific compliance issues with IAMPCI DSSPCI DSS does not force the use of specific protection products or services. It does, however, defineindustry best practices for how credit and debit card information should be handled while being storedor communicated during transaction processes.PCI DSS data protection requirements that need to be maintained involve PCI DSS does notthe strengthening of common security protocols; specifically, this includes force the use ofreducing the opportunities for unauthorized users to access customer- specific protectionsensitive information. It includes ensuring that external access channels products orare properly controlled and also has implications for what access internalusers (employees, contractors, etc.) should be allowed to have. services.Following various widely reported data-thefts incidents, many caused by internal users, there arespecific PCI DSS requirements that are intended to limit employee access to customer credit card andassociated financial information. Such access controls need to be measured and maintainable andsupported by reporting services that satisfy the needs of IT and the company’s auditors.PCI DSS dictates that user access to financial data (credit and debit card data) should be limited tousers who clearly need to see and work with this information. It specifically requires organizations thathandle card data to implement strong access control measures. The act states that access by businessusers must be on a need-to-know basis. Authorized users must be assigned a unique identity so thattheir access requests can be recorded and analyzed, and to ensure that physical access to cardholderdata is controlled.HIPAAHIPAA compliance, with its specific focus on the healthcare sector, and that industry’s increasingdependence on constantly updatable patient information, present a number of interesting identitychallenges that can be addressed through the use of IAM. The focus is on the need for improvedsecurity and privacy and further demands for efficiency and quality of service. The regulations andstandards that are applied alongside HIPAA are wide-ranging. IAM can be used to provide administration and access controls that protectIAM can be used to sensitive medical records. The requirement is for products that are capableprovide of controlling access to electronic records in complex enterpriseadministration and environments. Healthcare systems shareaccess controls that patient and associated healthcare data at local HIPAA dataprotect sensitive and national levels. protectionmedical records. The underlying requirement involves requirements are controlling how information is collected, stored, supported by theand transported. Once this is achieved, however, the key objectiveswitches to how healthcare institutions are able to keep operational data IAM’s ability toavailable and accessible and safe from unauthorized use, which is where control which usersIAM has an important role to play. have access toHIPAA data protection requirements are supported by the IAM’s ability to particular systems,control which users have access to particular systems, applications, and applications, anddata. By controlling and reporting on the management of users, their data.identities, and their access rights in line with the policies and operationalrules of healthcare operations, the deliverable components of compliance can be achieved. Also theautomated nature of IAM can be used to reduce the cost of healthcare compliance. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 37
  • IAM takes responsibility for controlling user access; it also addresses privacy, security, and audit requirements. These are critical HIPAA issues, particularly when organizations are operating across distributed and networked environments. Allied to this is the need to change, update, or remove access rights when employees change jobs or move on. This is a specific business risk that IAM can be used to address. The management of user credentials falls into the same category of importance to ensure that usernames, passwords, and other strong access credentials are maintained. Other areas that IAM covers and are relevant to HIPAA compliance requirements include the enforced segregation of duties wherever this is appropriate, and directly linking the provisioning elements of user access to the role of each user within the organization. SOX The SOX act specifies that a company’s financial reports must be both verifiable and auditable. To achieve these objectives, organizations and their IT management must be able to prove that the company’s critical software applications are only available to approved The SOX act personnel, and that access cannot be exposed to failure by human error or specifies that a sabotage. company’s financial While SOX is not specific about which IT security systems should be reports must be deployed, it does require organizations to implement strong access control facilities in order to fulfill user management both verifiable and objectives. Audit and reporting auditable. IAM provides the required elements of identity capabilities can also management and access control. Therefore, when its use is supported by be used to prove compliance-based best-practice templates, facilities can be tailored to that only authorized address the needs of SOX. Examples of this include the provisioning of access rights to each business-critical system or information resource that users could have is fully aligned with the individual’s exact needs as specifically defined by gained access to their job description or role within the organization. sensitive Audit and reporting capabilities can also be used to prove that only information. authorized users could have gained access to sensitive information. This level of control can be extended to necessary business process constraints and can be applied by provisioning and role management systems to include separation of duty controls and regular assessments of current access rights and privileges. Compliance demands are driven by common themes Among a number of common control themes that run across the regulatory compliance relationship between regulators and the organizations that are required to comply with their rules is the ability to prove who your users are and control what they are allowed to do. If you drill down into the regulator’s expectations of how identity ought to be used to control user access, there are elements that are standard to the general usage of IAM in most business operations. Where the additional requirements occur is around the issue of the information that is required to ensure that only the right users can access specific systems and their data. Even after adding the burden of proving that users are who they say they are and that their access rights are balanced and appropriate, and supporting the required controls with audit-level evidence, the use of IAM for compliance is not overly burdensome. These requirements make IAM into a frontline component of compliance. Its wide-ranging use across different industry verticals also makes it available to support the controls required by many different industry regulations.38 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • 3.4 Audit adds urgency to the need for a betterIAM infrastructureAudit helps organizations to prove complianceGovernment and industry regulations, such as those mentioned in the previous chapter, demand thatorganizations exercise proper control over customer and financial data and business-sensitive systems.The requirement is to be able to prove compliance. How are organizations expected to achieve this ina way that is wholly acceptable to each regulatory body? One suitable method is being given a cleanbill of health by an independent external IT audit report.Most successful enterprise organizations are both dynamic and busy. To maintain their required levelsof efficiency they need to have facilities in place that automatically provision, maintain, and manageuser identity resources. An important part of the complete resource management role involves theability to record and report on all identity-related activities, including those that involve changes to user,role, and segregation of duty permissions.Continuous compliance assists with audit processesContinuous compliance is an objective that most organizations would loveto achieve, but many struggle to get there. The vast majority of enterprise ContinuousIAM products claim to provide a range of authentication, provisioning, role compliance is anmanagement, web and enterprise single sign-on (SSO), and password objective that mostmanagement facilities that address compliance issues. They also claim tobe able to detect and remediate against anomalies found on an ongoing organizations wouldbasis, and maintain all management information for future use. love to achieve, but many struggle toIt is worth emphasizing that this particular level of good practice, if itbecomes a reality, is viewed favorably by auditors. In real terms it helps to get there.position the organization as being efficient and strong in the delivery ofsecurity and management controls. From a purely practical perspective, it can also help minimize thetime that the auditors will then take to test and validate the organization’s security controls.Good IAM practice provides business benefitsThere are many different examples that show how IAM is being used to achieve compliance and how,through the use of automation, such activities also find favor with an organization’s auditors. One goodindicator that is often put forward is that of how effectively employees that leave an organization or change their role are dealt with.One good indicator The requirement for disowned accounts is spread across three levels. Firstthat is often put of all, organizations need to know about and be able to identify all userforward is that of accounts that are no longer valid; then they need to have the ability to takehow effectively the required corrective actions. This may involve suspension, changeemployees that management, or the removal of access rights.leave an The final element in the process involves recording and reporting on theorganization or actions taken. The type of audit controls envisaged can also be extendedchange their role to ensure that account managers carry out periodic review processes to certify that active users in their domain have the right access entitlementsare dealt with. and, importantly, that they retain the need to keep those entitlements. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 39
  • 3.5 Continuity and the lifecycle approach to managing identity delivers business value Continuity drives the need for IAM So far we have covered IAM continuity as it relates to continuous compliance and to the improvement of audit processes. What have not yet been discussed are operational benefits and why it is important to take a more inclusive view of identity management and its access control facilities. There are two major elements that drive the need for continuous IAM control and with it the delivery of a lifecycle approach to the management of identity. There is the requirement to fully utilize the information resources in corporate data stores to trade as efficiently as possible. For example, making using of the Internet to provide access to corporate data and the web as a direct trading channel means that organizations can support self-service efficiency and customers can have 24/7 access. The other element is the ever-increasing range of threats and malicious attack approaches that threaten to destabilize web and associated real-time activities. From an IAM perspective, continuity starts with the ability to manage each user from the first time that they are provisioned with an initial set of access rights through to the time that their rights are removed. In effect, this means management of the complete user lifecycle, a definition that may sound inclusive enough, but in reality only scratches the surface. This is because the nature of doing business is constantly evolving. We now share information with suppliers and business partners and collaborate on projects. We provide customers and other system users with all-day, every-day access to our systems and information resources. Going forward, further interactive opportunities will emerge, they will need to be supported, and the lifecycle approach to managing users will continue to grow. Outsourcing and the use of managed services adds complexity In attempting to do more with fewer internal resources, organizations are taking up the option to outsource operations and services to contractors and are also using service providers to manage operational systems. Because all these external elements add complexity to business operations, they also increase the demand for good quality IAM solutions that are capable of automatically managing mixed communities of users across physical and virtual operating environments. A further issue The increasing is the requirement for continuity when considering the IAM controls needed volume of remote to deal with internal and external users while still attempting to reduce security risks. access demands is changing the IAM is an essential product in the battle to maintain control over who and systems dynamics what can gain access to information systems. However, bringing systems access and usage up-to-date and including the key considerations of web of IAM. clients and general Internet access is challenging. The increasing volume of remote access demands is changing the systems dynamics of IAM. It means that some longstanding identity management solutions are now overdue for an update. To remain fit- for-purpose, their services need to be brought up-to-date to meet the demands of collaborative working practices, shared information services, and operations where third parties, business partners, or service providers have control over everyday information assets. The effective management of identity is a precursor to successful data loss prevention (DLP) IAM controls user access to operational systems and addresses many of the control issues related to regulatory compliance and audit. Another area of IT security that directly associates itself with the demands of the regulators is the prevention of data loss.40 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Business users can play a primary role in putting an organization’s data Business users canassets at risk. Therefore, the case for aligning the use of DLP solutions and play a primary roletheir ability to protect sensitive data with core IAM technology that assigns in putting anand controls user access rights is a strong one. organization’s dataThe protection role of DLP involves the need to work with existing assets at risk.infrastructure systems such as AD and other common LDAP directories. Itentails a requirement to integrate with existing IAM facilities in order to understand what systemsaccess rights each user or group of users has. Leading on from this, once those access rights havebeen accepted, it also requires the ability to work with permission-based roles in order to ensure thatwhat users go on to do complies at each level with the organization’s data usage policies.Controlling who has access to an organization’s systems and information resources becomes verydifficult to achieve without an integrated relationship between core management systems such as IAMand DLP.3.6 Everyone needs to be accountableIAM provides organizations with well defined access managementtoolsIAM technology provides the tools to ensure that effective access management facilities can beimplemented across organizations. This represents the starting point for controlling the rights of each user.IAM technology A common misconception is that having achieved this objective, the task isprovides the tools to complete. This of course is not true. It is only the beginning of a continuousensure that process that requires IT administrators, business managers, andeffective access responsible infrastructure departments, such as HR, to collaborate on the provision of effective controls.management The object is tofacilities can be The object is to provide information users with all the access rights that they need to do their provide informationimplemented across users with all the jobs. At the same time, the correct securityorganizations. balance requires that the access provided is access rights that appropriate to fulfill a user’s role within the they need to doorganization, and limited for compliance purposes to those systems and their jobs.information resources that they need to have.That said, the needs of individual users constantly change; promotions change roles, new arrivals needto be provisioned, and leavers must have their systems access rights removed in a timely manner.Security aligned with usability is what needs to be achieved. IAM provides tools that can deliver therequired objectives, but not without help from process owners and business managers.Arguments against the efficiency of IAM and its ability to achieve the required user control objectivessuggest that previous generations of the technology were not up to the task because they focused purelyon the security issues. They did not do enough to deliver a sustainable model of continuous access.Access governance that ensures that the policies of the organization are in alignment with the provisioningand role management elements of IAM is what is required. However, delivering this balanced approachrequires the skills of a knowledgeable management team, good administration, and effective levels ofautomation from technology that can fit with both operational and compliance requirements.Compliance demands that users play their partTechnology can be used to provide as many automated processes as an organization demands.Provisioning, password management, SSO and user self-certification processes have been improvedfor the benefit of the business and to achieve cost savings using automation and self-help approaches. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 41
  • That notwithstanding, any automated delivery approach is only as good as the back office rules, processes, and management that have been put in place to deliver the service. Provisioning facilities that are not properly controlled by strong rules and not regularly maintained by administrators and process owners can result in users having open access where this is not appropriate, or not enough rights to do their jobs. Password management that is too easy to bypass or too complex to maintain has the same issues. SSO that is delivered with the right levels of control can be extremely beneficial to users and the business, but SSO without strong protection can put the whole organization and its information systems at risk. In all these areas, self-service and certification can have an important role to play, but to maintain compliance, usage has to be aligned with levels of control that are appropriate to specific user groups, roles, and access rights. Role management helps to align many people-to-process issues When organizations are looking to achieve that important balance between securing the business and its information assets and the demands for open information access from users, strong and informed business decisions are needed. ...typical problems Since the first early-adopter IAM systems were deployed, there has been a constant debate about how to make password management systems as that remain include secure as possible, and the unreliability of static passwords. Provisioning the inability to systems brought about an automated look and feel to the way that users adequately control were provided with access to systems. However, as before, early users that have out- approaches lacked control and security, and many such systems continue of-date access to be poor at managing the whole user lifecycle. rights... In some cases, typical problems that remain include the inability to adequately control users that have out-of-date access rights, to deal with users with more than one identity, and to completely remove access rights from users that have left the organization but retain the ability to access Alongside the use of corporate information. provisioning Without doubt, the provisioning systems provided by some IAM vendors services, role are more inclusive and better at controlling user and full lifecycle management management issues than others, but in many cases, more work is needed. facilities are Alongside the use of provisioning services, role management facilities are receiving a receiving a significant amount of attention. Role management is being deployed so that organizations, especially those of a significant size and significant amount with an enterprise infrastructure, can be managed in line with the of attention. requirements of the business. One strong argument in favor of the approach is that the protection requirements of businesses include regulatory compliance, and the delivery of role management services takes this into account. When used correctly and directed towards the combined security, compliance, and operational requirements of the organization, role management facilities allow job functions to be structured and defined into categories that are aligned with operational and business access needs. Systems administrators and business managers have the opportunity to define and structure roles and user groups to match their business operations, these can be categorized by local departments to particular projects, or defined by geography or business unit. Role management delivers the type of structure to IAM that aligns its use with the operational and compliance requirements of the business and its users. For IT and process owners, the structure that role management brings with it provides visibility into an organization’s user access credentials; all existing roles are defined and visible, and setting up new roles becomes more straightforward while also meeting business and IT infrastructure demands.42 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Using a top down approach, role management can be linked to business Like any other set ofprocess usage and, because business processes need to take in IAM components,compliance requirements, the approach pulls together business and ITrequirements. Like any other set of IAM components, role management role managementservices are only as good as the people who manage their use. Roles will services are only aschange on a frequent basis. Users within groups will change and move on. good as the peopleProvisioning allows users and their access rights to be properly controlled, who manage theirwhile role management adds further efficiencies as users are assigned toroles and roles are linked to business operations. use.3.7 Achieving and proving compliance is a keybusiness objectiveThe difficulties of achieving compliance need to be overcomeThe scope of regulatory compliance demands can be extensive. For governments, they cover international,national, and local controls. For each business area, standards can be industry specific (HIPAA in healthcare), or cut across boundaries (PCI DSS, which covers the protectionThe scope of of financial transactions across many business areas). The one thing that rarely changes is that new elements of regulatory compliance continue to beregulatory added. Regulations and standards are tightened, extended, and often madecompliance more difficult to achieve, and on each occasion, the emphasis is always ondemands can be organizations to find a way to comply.extensive. Technologies such Technologies such as IAM have a role to play and can be used to improve and add as IAM have a roleefficiencies to an organization’s approach to addressing compliance to play and can bedemands. The role as a compliance-enabling technology is to deliver used to improve andautomation and control to compliance processes. Business managers need add efficiencies toto be able to prove that compliance objectives are being achieved. IAM andits reporting services can be used to help with this. Management also needs an organization’sto put in place operational policies that employees and other affected users approach tocan understand and follow without it having an adverse impact on their day- addressingto-day activities. IAM provides the infrastructure to achieve this. complianceFor business managers, it is important to be continually aware of demands.compliance demands and to be sure that they are being addressed. It isessential to be able to validate the compliance position and support this effort with procedures andreports that prove an organization’s status. These are areas where compliance-enabling technologiessuch as IAM can help.Make use of technology and processes that validate complianceThe most effective approaches to achieving compliance involve the use of practical systems controls.Cost and efficiency demands drive the need to ensure compliance can be delivered as easily and as efficiently as possible.Cost and efficiency Establishing processes and making use of technology that addressesdemands drive the particular regulatory issues is a good way to start down the road toneed to ensure compliance. There is also a requirement to be able to prove that an organization is compliant. To achieve these objectives, business and ITcompliance can be managers must ensure that their processes are executed in line withdelivered as easily company rules and be able to prove that during audit.and as efficiently as When looking at the use of technology from a compliance perspective,possible. there is a need to consider whether it can be deployed across all areas of the business, whether its services and management reporting can becentrally managed, and from this, whether reports can be generated that validate its effectiveness. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 43
  • 3.8 Recommendations Recommendations for enterprises The deployment of IAM technology should be seen as a vital component of an enterprise security and compliance strategy. The use of IAM is foundational to controlling who has access to operational information systems. Knowing which users are allowed to have access to which information systems and aligning control with the operational rules and access policies improves an organization’s security position and helps toward achieving regulatory compliance. Domestic, industry related, and international regulations all have an impact on the actions that companies must now take in order to remain compliant. IAM can deliver services that are relevant to business improvement, continuity, protection and compliance. Recommendations for vendors There is a growing need to provide IAM technology that delivers business improvement and continuity benefits, and at the same time supports security and compliance demands. Over complexity has been a problem in the IAM sector, therefore further improvement is needed to make sure that good quality IAM services are also easy to use. Government and industry regulations demand that organizations exercise proper control over customer and financial data and business-sensitive systems. The ability to identify and control user access is fundamental to achieving these objectives.44 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 4: Identity services in the cloud WWW.OVUM.COM
  • 4.1 SummaryCatalystWe are entering an exciting period in the development of Internet identity services. Theypromise greater convenience for users, higher conversion rates from enquiries to sales forInternet merchants, and greater assurance for Internet-facing businesses, includinggovernment websites. They offer increased scope for performing trusted and high-value webtransactions. However, “identity” comprises a portfolio of personal information – it is muchmore than establishing a user’s name – and the centralization of a user’s Internet activitiesaround a single identity provider increases the risk of privacy violations and fraud based onimpersonating the real user. The industry must address the new risks that come with thischange.Ovum viewThe entry of the US government into the Internet identity services market, will kick-start the sector.Inevitably, the emergence of a large guaranteed federal market stimulates the supply side to meet thedemand. Already, the standards community has responded by defining a tiered model of different levelsof assurance, and the processes needed to underpin each level. Auditing standards to ensurecompliance with these standards are following.The tiered model is crucial for the development of identity-providing services. It not only givesassurance to relying parties, it also provides a basis for determining the value of each band ofassurance. This, in turn, provides the basis for a business model for the providers and an appropriatelimit of liability for identity service providers.Closed “circles of trust”, embracing collaborating organizations in a federated identity-sharing paradigm,have largely sidestepped issues relating to business models and liability because they are a partnershipof equals who all benefit from the collaboration. The participants are prepared to share risks and coststo enjoy the benefits of collaboration. This model will not, however, extend to working in the openInternet.So far, we have not seen a viable business model for identity service providers. In future, the relyingparty will have to pay when people use an identity provider’s service to access the relying party’s site.The alternatives do not address the need. We cannot expect the identity subject to pay. Internet usersare extremely reluctant to pay for anything, and are particularly unwilling to pay for something thatseems like an administrative overhead. Today, many embryonic services rely on government subsidies,but this source of revenue will not grow; rather, it is likely to shrink. The advertising-funded model hasbeen tried but it is doubtful how far this model can be expanded in a privacy-sensitive area. Higherlevels of assurance incur higher costs and lower levels of exposure, since high-value services accountfor only a small proportion of Internet transactions. The advertising model will therefore not support acomprehensive identity provider sector. The only remaining source ofrevenue is the relying party. The relying party benefits from the assurance Liability issueswork that the identity provider has carried out, and from not having tomaintain its own identity ecosystem. This is the only viable business model. appear to be even more intractableLiability issues appear to be even more intractable than those of financing than those ofidentity services. However, this may not be the case in practice. We needto be pragmatic. We have lived with managed service providers of various financing identitytypes for many years. None of them offer compensation based on their services.clients’ business loss when their service fails. Identity providers must offercompensation for errors that is proportionate to the fees they charge for their service. This is the bestcompromise that is achievable; it is not the practice today, but it is affordable since it relates to revenuesand a provider’s ability to pay. It is only feasible where the relying party pays for the service, in order toestablish the parameters of the potential compensation payment. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 47
  • Key messages The need for an Internet identity is now recognized. Several levels of identity assurance are needed. Legal and commercial issues are still of paramount importance. Technology is being developed for Internet identity. 4.2 The need for an internet identity is now recognized The Internet identity ecosystem Today, identity resides largely in individual websites with no interaction between them. Users have to identify and authenticate themselves to each site or service to gain access, ignoring those passive information sites that have no access control. Once users have given personal information to a site, they have no control over how the information will be used. Site operators Once users have have very little confidence in the accuracy of the information they are given. given personal An identity infrastructure that works across sites must be based on policy and semantic interoperability. We therefore require standards that go information to a beyond the syntactic and semantic levels and embrace business process site, they have no issues such as assurance, privacy, and liability. They must be both privacy- control over how the enhancing and cost-effective for both users and website operators. information will be The key elements of an Internet identity ecosystem are shown in Figure 4.2.1. used. Solid lines show mandatory flows, while dotted lines show alternative flows. Identity provider Identity Attribute credential selector Required identity attributes Session connection is established Identity broker Identity subject/user Relying party Figure 4.2.1 Internet identity ecosystem Source: Liberty Alliance (Kantara) The identity subject can request an identity credential satisfying the requirements of the relying party with which they want to do business. This can be done either directly or through the services of an identity broker. The subject then has the option of filtering out attributes in the credential that are not needed by the relying party, if the protocols and the credential structure allow this. When the relying party is satisfied with the assurance it is given, it will open a session with the identity subject. The relying party may be able to share the credential with other relying parties to enable a single sign-on (SSO) session with multiple sites or service providers.48 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • The business imperativeThe Internet today is a wide-open, global communications medium. Most organizations have set upcamp on its infrastructure and started communicating with customers, potential customers, suppliers,business partners, and others. Many of them are conducting transactionsacross the medium. However, each of these “camps” is a silo, operating The Internet todayindependently of other camps, apart from using the standard is a wide-open,communications protocols that the Internet provides. globalAn interoperable identity infrastructure that would be recognized at multiple communicationswebsites would provide a major advance towards a truly connected world. medium.Businesses would be spared the cost of maintaining their own identitydatabases, users would find it easier to do business with multiple sites by avoiding lengthy registrationprocesses and by not needing to carry sets of credentials for every website they visit, and the overallsecurity of Internet transactions would be enhanced.For example, in the legal profession, notaries are trying to move from paper-based to electronicbaselines. They are hampered by not having access to background databases for identity profiling.They could also validate electronically signed documents if there were highly dependable identityservices available.The challenges There are numerous difficulties facing those who seek to build such a vision,The process of which have prevented progress over the last decade. The technicalregistering obstacles have now largely been overcome, but the business issuesindividuals in an associated with constructing such a “web of trust” are still formidable. Weidentity service will must look for an incremental development of identity services that will eventually gain sufficient momentum to become self-perpetuating. Businessinevitably remain issues include determining legal liability, the building of a viable businessone where business model for identity providers, and understanding what an identity serviceprocess issues actually delivers and what we mean by “identity”. The process of registeringoutweigh technical individuals in an identity service will inevitably remain one where businessdifficulties. process issues outweigh technical difficulties. We need standards, processes, and auditing frameworks to ensure a dependable quality.Where the need liesToday, identity providers are typically in the government, banking, and telecommunications sectors.Identity relying parties come from the same sectors and from the merchant sector.Internet identity is gaining momentumDespite the difficulties of finding a viable business model, reliably enrolling users, determining legal liabilityand understanding the role of an identity service, progress is now being made. The US government underPresident Obama has thrown its weight behind Internet identity services as ameans of encouraging citizens to interact with the government online, and of Online services arecutting the cost of maintaining its own identity services by leveraging servicesin the private sector. Online services are generally cheaper to provide than generally cheapermore conventional forms of interaction between governments and citizens. In to provide thanaddition to the financial impact of the US government’s initiative, it is driving more conventionalstandards, and in particular, it has defined levels of trust that identity services forms of interactionmust deliver. The government’s four-tier model has won acceptance in the betweenwider community and starts the process of determining the level of reliancethat can be placed on a particular identity providing service, and the level of governments andrigor that an identity service provider must use when registering a subject. citizens.Levels three and four of the authentication model apply to situations wherethe consequences of an error go beyond financial loss. These moves therefore establish a framework inwhich the business sector can start to build services. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 49
  • The OpenID movement has produced the most interoperable identity service so far. However, its initial objective was to provide more convenient access to social networking services, and registration within OpenID is largely self-certified. It is therefore aimed at applications where The OpenID the requirement for assurance is relatively low. In its core sector, OpenID movement has has been very successful. There are 250 million OpenID identities in existence, and these are accepted at more than 10,000 websites. produced the most Nevertheless, OpenID credentials are accepted at some e-commerce interoperable sites, which are reporting a higher rate of enquiry-to-sales conversions than identity service so sites that require proprietary registration. In this case, the benefits mainly far. relate to avoiding the need for users to remember multiple passwords and user IDs. The security requirement is low, as the part of the sales process involving the payment card is not altered by the adoption of OpenID at the entry to the website, and is still subject to the rules of the customer’s relationship with their card issuer. Privacy and security concerns The downside of Internet identity services is that they provide an accumulation of personal information in a single location, and a single point of operational failure. Privacy concerns must be addressed. A person’s “identity” is much more than a name tag. It comprises a repertoire of personal information and a log of actions relating to the identity provider. When the identity provider expands its role to participate in transactions between the individual and other organizations, its view of the individual grows significantly. It can track a person’s Internet behavior and relate this to the more static identity attributes that it holds. Identity abuse by identity providers threatens security as well as privacy. Either the identity provider, a rogue employee, or some other hacker could misuse this information. They could impersonate the identity subject in fraudulent or criminal transactions, as they would hold both the means of identifying and authenticating the victim. A rigorous code of conduct or a legal framework is needed to protect privacy from this new threat. The high-assurance identity market needs to move out of the public sector The identity service provider market is still in its infancy, and scarcely exists at the high end of the trust scale. The current user registration process of each organization is rarely visible outside of an organization; however, there are legal requirements The identity service governing registration procedures in parts of the government sector, in provider market is some professional occupations including healthcare, and in the financial services sector (as a result of anti-money-laundering regulations). High- still in its infancy, trust inter-organization e-identity networks are mostly government and scarcely exists regulated (for example, in defense clearance procedures), but the use of at the high end of government-controlled schemes by the private sector is as yet very limited. the trust scale. More interoperability between the two sectors is needed. In the EU, people generally look to the government sector for trusted identities (for example, ID cards and passports), while the US government is actively seeking more involvement from private sector players. 4.3 Several levels of identity assurance are needed Online identity needs to follow successful models from the physical world The notion of having identities with different levels of assurance is sensible, and is consistent with traditional human patterns of interaction. The definition of a system for categorizing an identity is a major step forward. As the notion of multiple tiers of identity assurance services gains acceptance, we are tying the concept of identity assurance more closely into a risk management context. This can be seen across the world, as credit reference agencies play an increasing role in delivering identity assurance.50 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Identity comprises a large range of personal attributes. No one supplier could provide a complete“identity” for an individual, even if the privacy issues resulting from such a concentration of personaldata could be resolved. The view of identity that an organization has of a particular individual is basedon the relationship that the individual has with the organization, as is the level of confidence that canbe placed on the identity. For example, the level of confidence that a bank has in a customer’s identitywill depend in part on how long the person has been a customer, and whether the bank has been theironly financial services provider. It will therefore not always be possible to provide a subject with thehighest levels of identity assurance.Conversely, the relying parties have different needs for identity assurance, depending on the value ofthe transaction that they are engaged in and the risks associated with it. There is a need for a range ofidentity services, and the system can be made more cost-effective by spanning the spectrum from“cheap and cheerful” to “high assurance”.Online identity requirementsThe challenge for anyone trying to specify a system for online identities is to provide interoperability,usability, and transparency.Online identities today typically give a low level of assurance, whereas the Online identitiesphysical world is characterized by high levels of identity assurance backedby organizations with substantial assets or interests at stake, issuing today typically giveidentities that are accepted by other organizations, as well as long and a low level ofdeep personal relationships. assurance...OpenID shows the opportunities and thechallengesToday, OpenID is often used as a second level of authentication in addition to a proprietary registrationand authentication process. While this gives it valuable exposure, it also shows the limitations that haveto be overcome if it is to replace existing processes.OpenID was initially designed as a means to let people put comments on blog sites. You can use anaccount on one service as a means of logging on to another service. High-trust e-IDs are rare, but low-trust e-IDs can stimulate interest across the board. It has been shown that e-commerce sites accepting OpenID get higher conversion rates from enquiries to sales than sites thatThe OpenID protocol only accept proprietary registration. Using OpenID in preference to alets users select the bespoke identity repository also reduces support costs. High-trust OpenIDattributes of their ID providers, whose tokens can be reused more generally on other sites, are starting to appear. They need an accepted standards framework tothat they wish to differentiate their offerings from the mass of low assurance OpenIDshare. credentials in circulation.The OpenID protocol lets users select the attributes of their ID that they wish to share. This is essentialto protect the privacy of the identity subject when they begin to interact with both high- and low-valuedomains. It also provides SSO to multiple sites and services. OpenID also provides brand promotionopportunities for identity service providers.Experience of OpenID led to the specification of the OpenID ICAM profile, Standardizingwhich is now specified in US government requirements. identity and authenticationLeveraging government standards processesStandardizing identity and authentication processes strengthens security strengthensand reduces costs. The US government has established itself as a leaderthrough its market power and is moving in this area before most other security andorganizations. reduces costs.The framework emerging from the US government envisages a four-tier model for categorizing identityprovider services, and this is winning general acceptance in the industry. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 51
  • Credentials will need to be available with four levels of assurance to correspond to this standard. OpenID Exchange has set up a gathering of Internet and telephone companies to create a trust framework for use by multiple governments (initially the US, UK, Canadian, and Japanese governments). Their criteria are in the public domain. These comprise Enterprises, like technical standards and policy (rules and tools) that are certified by OpenID governments, have Exchange and based on standards that have emerged from bodies such as different types of Kantara. resources to protect Enterprises, like governments, have different types of resources to protect requiring different requiring different levels of security, although level four assurance goes levels of security... beyond what most enterprises require, and most enterprises will only use the first three levels of the model. International Organization for Standardization (ISO) standard 29115 defines trust levels in user registration processes to support the model. Most protocols can already communicate levels of trust within an identity credential. National Institute of Standards and Technology Special Publication (NIST SP) 800-63-1 (the “Electronic Authentication Guideline”, published in December 2008) suggests authentication methods that are appropriate for each level of identity assurance, using single-factor and multi-factor authentication. The model is expressed in economic terms. NIST SP 800-63-1 also lists a spectrum of devices and their underlying technologies that can be used for each level of authentication. Thus, we now have guidelines covering identification, registration, and authentication for a multi-tier model. US government requirements have also driven cloud-related security standards such as Security Assertion Markup Language (SAML), InfoCards and Extensible Access Control Markup Language (XACML). The PIV standards Personal identification verification (PIV) provides interoperable and shared identification across the Internet and physical environments. It is discussed here because it is another manifestation of a common identity infrastructure, driven out of US government programs, although it is not a basis for an Internet identity service extending into the Personal consumer sector. identification The PIV standard started as a mandatory US government standard, verification (PIV) introduced after 9/11 for identifying and providing credentials for federal provides employees and contractors. It defined a standard process for issuing smart interoperable and cards with public key infrastructure (PKI) and biometrics, incorporating the card interface specified in Federal Information Processing Standards’ shared identification (FIPS) 201 standard. It was designed to control logical access, email across the Internet signing and encryption, file signing and encryption, network VPN access, and physical and also to be used for physical access using procedures defined in NIST environments. publication 800-116. The American National Standards Institute (ANSI) is now working to make it more applicable for enterprise use by producing a superset of FIPS 201. The new standard is known as ANSI Generic ID Card Specifications (GICS). This allows for extensions of additional data elements and applications. The Federal CIO Council has defined two extensions to PIV for civil application: PIV-I (interoperable) and PIV-C (compatible). Pure PIV is expensive to implement as it has to satisfy secure government standards. PIV-I is based on federal standards so that it can be used in the federal infrastructure. It requires the identity management systems and processes to be externally audited. Therefore, PIV-C is of more interest to commercial organizations, as a means of providing strong but affordable verification. PIV-C is supported in Windows 7 and enjoys widespread support, with the option of adding biometrics and physical access controls, along with other applications. The smart cards still have to meet the PIV technical specification but the issuing process is more flexible. It provides strong authentication for every application and access point. It can still support the protection of assets up to level four, and can be implemented using standardized and reliable middleware.52 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • PIV-C provides an enterprise with greater security, just as it does in PIV-C provides angovernment organizations. Security is both strengthened and made more enterprise withaffordable through standardization using its pervasive infrastructure andopen standards. It enhances interoperability because it is designed for greater security,third-party integration into identity management systems. It gives just as it does inassurance that product components have met the specified standards, and government provides reliable middleware that is not limited organizations.The UK Police has to specific use cases. The PIV Issuance modeladopted PIV-C, represents best practice. PIV-C supports multiple authentication mechanisms, including biometric and card-based approaches.largely because itcombines physical For the vendor, compliance with PIV-C opens up opportunities to sell to the government as it is likely to be specified in future Federal Acquisitionand logical access Regulations.controls. The UK Police has adopted PIV-C, largely because it combines physicaland logical access controls. PIV-C allows BlackBerry email signing and support for mobile applicationaccess control out of the box. It closes the mobility cloud security gap in a way that is transparent to theuser. Furthermore, intense vendor competition for government contracts reduces the price.EU OpenID trust profile projectThis project extends work on building an identity framework into the realm of auditing identity providersand registration authorities. The need for a formal framework to regulate levels of trust has been afundamental stumbling block in previous attempts to establish Internet identity. Relying parties getconfused by the options and need a more “black box” approach. They need a trust framework in whichthe level of trust in an identity can be easily assessed. ISO 29115 may be the answer to this need, butthe framework should also clarify the roles of authentication provider andregistration authority. The EU has set up a project to address these needs, Organizations inthe evaluation of which is due in the first half of 2011. both the public and private sector want4.4 Legal and commercial issues to embrace shared services fromare still of paramount importance identity providers to achieve operationalBusiness case development efficiencies, to raiseOrganizations in both the public and private sector want to embrace shared security levels, andservices from identity providers to achieve operational efficiencies, to raise to increase the usesecurity levels, and to increase the use of their online services. Technologists of their onlinehave made considerable progress in defining standards for interoperable services.identities and developing secure protocols. However, while businesses arekeen to consume identity services, in terms of becoming “relying parties”, there remains the problem ofdetermining when you can trust the registration process of the identity provider. Closely associated withthis is the lack of a legal liability model that is acceptable to both sides in the identity services market.These factors make it difficult to establish a business and financial case for becoming an identity provider.A business case for both identity providers and relying parties depends on generating excitement for theservice from potential personal users. Privacy is a core issue. It is essential to win the trust of users aswell as relying parties. The business case depends on each enrolled individual making frequent use oftheir identity services, both to ensure that identity providers’ assets are well used and that the relyingparty’s online business increases. Ease of use of an identity providing service is essential to generateincreased use of web services and increased conversion of browsing enquiries into e-commerce sales. It,in turn, depends on familiarity and frequent use, creating a potential “Catch-22” situation. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 53
  • Commercial models One size does not fit all needs in identity services. People may trust Google Apps, but Google ID still lacks cross-enterprise credibility. The field today is largely government regulated and emphasizes privacy. The need for identity services to support transactions is currently limited, but this will change in future; public/private sector interoperability is People may trust the next step. Google Apps, but Today, Internet identity services are largely government-subsidized, ad- Google ID still lacks funded, or simply driven by enthusiasm. None of these will extend to cross-enterprise providing universal services. Users are reluctant to pay for online services credibility. of any kind, therefore the long-term business model must be funded by the relying parties. The enterprise is a natural identity provider in the business context. It could The enterprise is a provide services on the Internet, but the attributes required for business natural identity and consumer activities are different, and social use of a business identity provider in the would implicitly expose who the subject works for, while businesses baulk at the potential impact on their brand of association with uncontrolled business context. private use of their service. Below is an overview of the characteristics of some existing e-ID services, particularly in Europe: CardSpace is user-centric. The user establishes an identity by self-registration or by leveraging an existing identity from another identity provider. Transactions will require identity cards that satisfy certain criteria to be used. There is not yet any business model for building on CardSpace. It is quite difficult to set up. Google Apps work in the Web 2.0, cloud computing and software as a service (SaaS) domains. Again, identities are self-asserted or imported from other identity providers. Google Apps provides transaction authentication and authorization (OpenID and SAML-based), financed by advertising. Google promotes its use. Google policy governs privacy, and Google does not accept any liability for errors, so it does not recommend the service for high-value transactions. However, the service is widely used in the education sector in the Netherlands. OpenID is mostly used in the Web 2.0 domain. Users self-register and identity is based on domain name servers. It is used for transaction authentication and profiling. Its business model is based on its low cost and its ability to increase website business. It offers limited privacy and trust. SURFfederatie is a Dutch universities scheme for the education domain. It reuses local user registration and provides transaction authentication and authorization. Its business model is that of a subsidized service. Privacy and trust are regulated through the existing practices of the education sector. DigiD is used for government services for citizens in the Netherlands, with registration carried out by local authorities. It is used for transaction authentication. Its business model is government subsidy, and its identities are typically used only a few times per year for each citizen. Privacy and trust levels are government controlled. BankID is a Swedish service used in the government and private sectors. Banks handle user registration. It is used for transaction authentication, digital signing, and mobile e-identity. The business model is to target massive use over a wide range of transactions. Privacy and trust are regulated by the bank sector. The Estonian e-ID card is used for government services and trusted transactions, including the digital signing of documents. Registration is carried out by local governments. The business model targets a large range of transactions, combining a small user fee with a larger service provider fee. The privacy and trust policy is regulated and run by a public/private consortium.54 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Assurance versus privacyThe process used by identity providers to establish confidence in a subject’s identity involves an activityknown as “identity consolidation”. This brings all the available information itcan gather about a data subject into one place. There are clearly risks if this An identity providercentral repository is breached. becomes a “singleAn identity provider becomes a “single point of failure” from a privacy point of failure”perspective, as both personal information and the user’s Internet behavior from a privacyhistory are concentrated in a single location. This issue will require perspective...particular attention.“Minimal disclosure” is a means of distributing a set of claims under the user’s control, blanking outinformation in an identity certificate that is not relevant for the transaction that it is to be used for. Underthis scheme, the identity provider provides a credential to the identity subject, who controls itsrationalization to exclude unnecessary information. The technical challenge is to provide a way in whichthis can be done without breaking the digital signing of the credential. Microsoft’s U-Prove has achievedthis (see the chapter on U-Prove below for more details). It has the advantage of eliminatingunnecessary proliferation of personal information across the Internet, and that the identity claimsproviders do not know how the claim will be used.Banking regulationsOnline banks want to move from access control based on user ID and password but are wary ofcustomer resistance. Currently they have to do some authentication in house to satisfy regulatoryrequirements, so many think it is simpler to do all of the access control task in house than to split thetask with an external identity provider. This is slowing the growth in Internet identity services, as bankingcould be a “killer application” driving the sector.Identity brokersThere is another potential role in the identity services market: an e-identity broker to select a suitableidentity provider for a particular situation. Such players could stimulate competitiveness in an open market.The brokers would have to be independent of the e-identity providers. When selecting an e-identityprovider for a particular purpose, the broker would need to classify each e-identity provider according toits intended domain of use, how users register, how authentication works at the time a transaction isperformed, the business model of the service, and the privacy and trust policy of the identity provider.4.5 Technology is being developed for internetidentityOpen Identity Trust FrameworkThe OITF (Open Identity Trust Framework) is built on the principle of openness, and affordstransparency, accountability, and open competition. It consists of: A set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information. Oversight mechanisms to look after these requirements and mechanisms to support the flow of information among users, identity service providers and relying parties.The next step for the OITF is to look at governance, accountability, and what market structure is likelyto emerge. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 55
  • The Federal Identity, Accessing and Credential Management (ICAM) Trust Framework comprises technical profiles for protocols (info cards, SAML 2.0, OAuth2 and WS-Fed), and policy comparability (covering the trust framework provider adoption process). So far, three trust frameworks are embraced: OpenID Exchange (OIX), Kantara, and InCommon. The ICAM Trust Framework is already working at level one of the trust model. It is developing procedures for levels two and three. OASIS ID Trust OASIS standards are widely accepted and tested for interoperability. Identity claims mechanisms are valuable for preserving privacy and limiting the flow of personal information OASIS standards are to the minimum required by a relying party. Commercial off-the-shelf widely accepted and software such as Microsoft Active Directory Federation Services (ADFS) tested for supports OASIS identity claims mechanisms. interoperability. The ID Trust member section promotes standards-based identity and trust infrastructure technologies, policies, and practices. CA and Red Hat are on the steering committee, with many major vendors in the membership, such as EMC, GSA, HP, IBM, and Microsoft. Claims are statements made by one subject about another subject. No information needs to be held within the claims service – it just has to handle the workflow between the identity provider and the relying party. There is a need for a claims API, a claims service, and an identity selector that can allow the user to be part of the process by selecting how claims about them are to be satisfied. Cloud service providers are starting to support the model, U-Prove is a but it is important to use widely accepted standards such as OASIS to avoid Microsoft proprietary lock-in to a particular service. technology that U-Prove allows users to build electronic U-Prove is a Microsoft technology that allows users to build electronic tokens for specific transactions. X509 protocols use two unique identifiers: tokens for specific a public key and the Certification Authority signature of this public key. The transactions. identity provider provides attributes in signed form. U-Prove is designed with “privacy built in”. It allows users to black out attributes that they do not want to forward, without wrecking the entire certificate signature. The relying party’s public key is hidden from the identity provider; however, token attributes can be placed in an “attribute” field in the certificate. U-Prove is published as an extension to CardSpace and Windows Identity Framework. Microsoft has open-sourced the crypto software development kits (SDKs). U-Prove provides: anonymized and pseudo-anonymized identity; full identification; accountability; minimized identity disclosure; user control over information disclosure; strong authentication; resistance to phishing attacks; efficient hardware protocols. It is based on technology that Microsoft acquired with Credentia, and is currently available for trial online. There is also the option to add a smartcard in the end-user device to protect against spyware. U-Prove still needs to go through the standards process (NIST or ISO), but a European standardization process is already under way and is expected to take three years. The Microsoft standards team is working in parallel with the European effort.56 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • National ID cards and mobile phone SIM cardsThere are many authentication tokens in circulation, including national IDcards and mobile ID (namely SIM cards). Both need a smart card reader to Mobile-phone-basedconnect to a PC. identity servicesMobile-phone-based identity services have only limited value. There is a have only limitedhigh churn rate for mobile phones, making the ongoing cost of managing value.devices high. The process surrounding the sale of a mobile phone does notgenerate high levels of identity assurance.Combining PKI and IAMWhile there is potential value in connecting digital certificate issuance and access management, thereare also counterarguments for keeping them separate.PKI comprises components, processes, and policies to manage digital certificates. PKI could profit byenrolling people based on the registration process already done by an identity provider, andautomatically adopting any changes in this identity database. PKI could then issue certificates toservers used by the identity subject. PKI brings encryption and non-repudiation capability to supportonline transactions. Vendors that have adopted this combined view include: Entrust. Microsoft, which has linked its Identity Integration Server with its Certificate Lifecycle Manager in its Forefront Identity Manager. Cryptovision, which integrates with Novell identity management products, and also has prototype integrations with IBM products. User data are not passed to the Certification Authority.However, there are no standards for connecting identity management and PKI, and security may bereduced by the integration. FIPS certification of products is difficult without a clear separation offunctions, and users risk becoming locked into proprietary technology. RSA Security is also movingaway from combining authentication and digital certificates.Orange ID selectorOrange has a history of working as an identity provider: 2007: Orange externalizes Orange identity in OpenID. 2008: Orange opens its service to external identities. Second quarter of 2010: Orange allows users to use any identity.Orange manages more than 100 million identity accounts across seven countries. SSO is providedthrough Liberty Alliance (Kantara) specifications. Network parameters are used implicitly in identificationand authentication. Over 185 services are federated to the identity platform covering web portalservices, widgets, desktop applications, VoIP, IPTV, WAP, and mobile applications, and Livebox homegateway applications.The majority (90%) of Orange users avoid the need to enter usernames and passwords by using devicerecognition. The service doubled the usage of Orange communication services when it was introducedin France.The relying party wants a diversity of identity providers, but the user wants to use the same provider asmuch as possible. The identity provider wants to play a role in as large a range of transactions aspossible. Orange ID Selector is a new tool in the authentication scheme. It is an agent that reconcilesthese views, and maintains a direct business relationship between the identity provider and the relyingparty. The user sees a single interface from which to select an identity. It is designed to be easy for arelying party to integrate with their system. CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 57
  • 4.6 Recommendations Recommendations for enterprises Both standards and technology are being developed for Internet user identity services. These are mainly of interest for communicating and transacting with people that have a shallow but financially or contractually significant relationship with a provider; for example, they are more relevant for communicating with customers than with employees. When these services are more developed, they will be attractive for relying parties, both in terms of cost and identity assurance. You must expect to pay for a dependable service, but the cost should be less than maintaining a proprietary registration, identification, and authentication regime. Take care to ensure that the business model, including the liability model, suits your business relationship. Also, be wary of mixing business and personal identities too closely. Business identities, with the attributes appropriate for business relationships, are unlikely to be adequately supported by public services. Identity federation across business partners is a better approach for corporate collaboration scenarios. Recommendations for vendors The identity services business cannot have a viable future without a universal basis for identity classification, assurance, authentication and registration. An auditing framework will be needed to maintain these standards. These standards are now emerging and all service providers should adhere to the common standards to maximize interoperability between service providers. The “single point of failure” issue is a serious risk to the credibility of the sector. Suppliers must ensure that the theoretical risks of concentrating identity information (including online behavior records) in a single location do not become real risks. As well as maintaining the highest standards of security, auditing, and staff vetting, they should minimize the amount of information they hold, and distribute it around their organization as much as possible. The business model for the supply side is still far from clear, and this will determine the speed with which identity services develop. The role of the US government in the market will be crucial for stimulating the market, and Ovum anticipates that its impact will ripple out across the Internet into other countries. Other governments are likely to follow its lead, although individually, their impact will be limited. User familiarity with services at the lower levels of identity assurance will help to stimulate the market for higher value services.58 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 5: Federated identity WWW.OVUM.COM
  • 5.1 SummaryCatalystThe role of federated identity management (FIM) is to provide functional and secure operationalenvironments where users of one business domain can seamlessly access the systems andinformation of another. In business-to-business (B2B) relationships, the goal is to achieve theseobjectives without having to stitch together separate identity management systems. The largerrequirement for federation extends beyond pure B2B relationships and takes into account theneeds of all consumer groups.Ovum viewFor systems users who struggle to maintain an ever-growing number of online identities in theirbusiness and private lives, the availability of effective FIM cannot come soon enough. The headlinessuggest that federation services support business efficiency, can deliver inter-company collaboration,and provide cost and efficiency savings by supplying the tools required to build connectivity betweenconsenting organizations. It sounds too good to be true and, unfortunately for the vast majority ofbusinesses and information users, that remains the case.Five years ago, the hype cycle was at its height. Most leading identity and There are a numberaccess management (IAM) vendors were giving the deployment of of good examples offederated identity solutions a high priority. They saw federation as a wide- successful FIMranging opportunity to extend the scope of common IAM services such as deployments,single sign-on (SSO) and user provisioning beyond corporate boundaries.After all, some of the required standards through OASIS with Security especially in theAssertion Markup Language (SAML) were already in place, and supporting financial services,work from the respected Liberty Alliance was moving forward at a good healthcare, andpace. governmentIn the intervening years, progress has been slower than expected. Many of sectors.the reasons why are not uncommon to IT: systems complexity, largetechnology overheads, and unacceptably high project costs. On top of this, there has been a financial downturn that has forced most organizations to cut back on new IT projectsOvum recognizes and complex relationship and ownership issues specific to FIM.that business Not all federation projects have been put on hold. There are a number ofdemand for FIM good examples of successful FIM deployments, especially in the financialremains, but further services, healthcare, and government sectors. Importantly, all of these arechanges to the way sectors do not engage with new technology until operational benefits have been proved to a high degree of certainty. The operational advantages ofthat IAM services providing federated access to business information systems are not inare delivered will doubt. What still needs to be addressed, if take-up rates are to improve, arebe required to make cost justification issues and project complexity objections.federation projects Ovum recognizes that business demand for FIM remains, but furthermore attractive. changes to the way that IAM services are delivered will be required to make federation projects more attractive. Also, taking into account the time thathas already elapsed, the FIM value proposition is at a crossroads. Very large investments have beenmade by IAM vendors to ensure its success, and interest from public and private sector organizationsremains. Therefore, significant progress now needs to be made. CHAPTER 5: FEDERATED IDENTITY 61
  • Key messages Organizations can benefit from using a federated approach to identity management. Drawing up clear rules of engagement is important. Making better use of standards is the way forward. Take-up has been slower than expected – higher levels of B2B usage are required. 5.2 Organizations can benefit from using a federated approach to identity management Federation offers advantages and convenience to enterprises and users Organizations continue to look for innovative and effective ways to deliver their services. The automation of operational systems together with the ability to collaborate and share vital information with business partners is one important way of achieving those objectives. The use of The use of technology allows businesses to FIM technology can run lean and efficient supply systems. To technology allows be used to create support this approach, organizations rely on all businesses to run required components being available at the local as well as lean and efficient optimum time. Having full visibility of stock global supply systems. levels, product delivery dates and new pricing interoperability tariffs, among others, even when that between online information is the property of a partner organization, adds real value to businesses and decision-making processes. trading partners The operational requirement is for secure open access to shared business using agreed systems to be assured for authorized users, and for accurate information to be made available whenever it is needed. Within the IAM product portfolio, identity FIM technology is used to help deliver collaborative services to groups that management wish to share business information using common access and approaches. authentication approaches. FIM technology can be used to create local as well as global interoperability between online businesses and trading partners using agreed identity management approaches. Utilizing an SSO approach, it allows users to move between business systems of their own organization and beyond corporate boundaries to access third-party systems. Sharing information resources is not a new concept The concept of federation is not new. Organizations have always shared process information using a variety of approaches, governments authenticate their citizens to travel Organizations have across borders using passports, and banks and retailers accept credit and always shared debit cards as proof that the owner has the right to purchase goods across process information all suppliers that accept the credential. using a variety of The advantages that federation provides add process, operability, and control approaches... to the interactions between organizations and their users. Setup and usage needs to be based on business requirements, regulatory controls and technology-driven agreements that allow companies to interoperate based on shared identity management.62 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • To prove effective, the advantages to the organizations involved should include a lowering of overallidentity management costs and operational efficiency improvements through the use of extended SSOfacilities, which also helps to deliver a better user experience for all.In order to provide secure service delivery and information access, the FIM methodology leveragessecure identity portability by simplifying administration across business boundaries. The approach hasto have the ability to operate using common and agreed rules, access policies, and authentication thatfulfills the operational requirements of each partner in the relationship.For federated identity management to be effective, partners mustshare a sense of mutual trustThe success of any federated identity project relies on two things: a bondof trust existing between the parties involved, and technology controls to The trust elementensure that trust is maintained. Organizations that agree to share remains importantinformation must put in place processes that control who the authorized because eachusers are, what type of authentication will be required to allow access, and organization relieshow those controls will be maintained. on its partner toThe trust element remains important because each organization relies on maintain standards,its partner to maintain standards, control their users, and ensure that control their users,provisioned access rights are kept up to date. The issues that need to beaddressed involve information security, regulatory compliance, and audit and ensure thatrequirements. Trust between the parties involved forms the foundation of provisioned accesstheir operational relationship, but realistically, more contractually binding rights are kept up tolegal ties between the parties involved will normally be part of any formal date.agreement.Authentication data can be passed across secure domains to businesspartners, enabling SSO to extend beyond organizational boundariesFIM is not set up to be an SSO client, server, or application, and does not deliver SSO in its own right.However, through integration with IAM and the use of standards-based approaches such as SAML,common user access across participating domains is achieved.Using a standards-based approach, FIM enables a user’s authenticated identity in one domain to beaccepted for access to resources in another without the need for re-authentication. Delivering extendedSSO controls provides operational efficiency savings that are valuable to users and participatingorganizations. The additional ability to keep user and usage definitions up to date dynamically, withoutfurther intervention, also helps to make federation a justifiable investment when the primary advantagesare aligned with the shared operational goals of the businesses involved.Real-time communications technology allows business processes to be directly integrated acrosssystem and business boundaries, while security considerations dictate that good-quality identity-basedaccess controls must be in place to protect business assets from compromise.Security should not hold back the sharing of inter-companyinformation flowsIt is not acceptable in today’s online trading climate for security to be seen as putting up unnecessarybarriers, especially if those barriers cause operational performance to suffer.It is clear that the security elements of IAM that control which users are allowed to have access toinformation sources must be retained and strengthened within federated relationships. Nevertheless, abalance that allows operational efficiency alongside levels of systems and information protection thatall parties can agree on needs to be set. CHAPTER 5: FEDERATED IDENTITY 63
  • 5.3 Drawing up clear rules of engagement is important Trust is a vital component of successful federated relationships As discussed earlier, among the core requirements of identity federation is the need to set up trust relationships between participating organizations. At the very beginning of a project, clear rules of engagement need to be drawn up and, dependent upon the relationships involved and any associated regulatory issues, agreements may well need to be legally enforceable. This is important because identities defined within one organization in a federated relationship are going to be accepted by the other as valid and therefore trusted. As such, a strong business foundation to the relationship must exist before things can go forward. FIM supports loosely coupled through to legally binding relationships Gaining a full and agreed understanding of the way that a particular relationship is going to operate is essential. For example, it is crucial to know how the relationship will be aligned between the parties involved. Will it be federated as a genuinely collaborative, loosely coupled, Gaining a full and many-to-many FIM environment, where the circle of trust is an evolving environment that is flexible and open and can be added to as the need agreed arises? Or, will it be on a more fixed footing, where relationships need to be understanding of controlled by a set of formally defined processes that involve fixed access the way that a rules and usage policies? particular There are also other options, such as one dominant player owning and relationship is going dictating how a relationship will operate. This could reasonably be to operate is described as a master-to-slave environment, where one principal takes essential. responsibility for defining, owning, and controlling how relationship services will operate, with other group members being expected to comply. When deciding how FIM relationships will operate and what controls are needed to deliver the service successfully, as a minimum, the following issues should be taken into account: Which organization owns and controls the relationship? Will this be an open or closed project? What type and range of collaborative interactions will be involved? How will the project be managed and how will management changes be controlled? In either open or controlled FIM projects, how will new organizations joining an existing group be added, and how should they be treated? How will the issue of individual organizations leaving a relationship be handled and what controls need to be applied to make this a safe process? What happens when the relationship comes to an end? Can it be easily The use of wound up and what issues need addressing when it is? federation based on Federation brings B2B relationships up to date shared identities The use of federation based on shared identities and SSO controls brings and SSO controls inter-company alliances up to date. When extending business brings inter- collaborations beyond straightforward one-to-one relationships, FIM also company alliances provides the opportunity for more complex associations – often known as up to date. “circles of trust” – to be set up. As shown in simple diagrammatic form below, connected circles of trust can be defined to support a variety of federated business relationships. For users and their organizations, each approach supports SSO pass-through at the point of assertion between each participating organization.64 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Governing entity approach – the collaborative modelAs shown in Figure 5.3.1, a group of founders (the governing entity) forms a management relationshipthat establishes the rules and policy controls for ongoing membership that govern how a federatedidentity group operates. This could be seen as a complex approach to collaboration, as each memberhas approval rights, but it can also offer flexibility and control when determining the ability for membersto leave and new members to be admitted into the group. Governing entityFigure 5.3.1: Governing entity approach Source: Liberty Alliance (Kantara)Founder approach – the consortium modelA fixed number of founders (the consortium) form an association using an agreed multi-party contract thatsets the rules that govern the relationship. Control stays with the founding members. As shown in Figure5.3.2, this is a form of FIM that operates effectively in closed environments. However, the approach appearsto have restricted flexibility when looking at break-up requirements or the addition of new members. par ty Contr ti- ac ul M tFigure 5.3.2: Founder approach Source: Liberty Alliance (Kantara)Single founder approach – centralized modelAs shown in Figure 5.3.3, a single founder sets the rules of engagement for membership to the groupthat it controls. From its position of strength, the owner agrees new federated relationships with othergroup members on the terms that it controls and chooses to make available. CHAPTER 5: FEDERATED IDENTITY 65
  • Founder Figure 5.3.3: Single founder approach Source: Liberty Alliance (Kantara) Organizations also profit when consumers are able to reap the benefits of a federated SSO culture FIM is not restrictive. Its use is not constrained to B2B interactions. In whatever Business-to-consumer (B2C) relationships, where the consumer is a environment it is customer or citizen, can provide substantial benefits if common user used, a federated credentials that are acceptable to one public or private sector domain can identity represents also be accepted by one or more partner organization. a single resource In whatever environment it is used, a federated identity represents a single that can be used to resource that can be used to access multiple applications or websites that access multiple are grouped together by the ties of federation. As is the case in business, without FIM, users are required to manage different credentials for every applications... application or website they use. Consumers are further disadvantaged In our private lives, multiple passwords and access codes are just as difficult to maintain as they are in B2B relationships. In fact, due to irregular use and fragmented relationships between user and service provider, the lack of control is more likely to lead to identities being compromised and to identity theft. FIM builds on a trust relationship between organizations and their users. Federated identity makes it possible for consumers to use this same trust relationship to access information with other related organizations without needing new credentials. This is an area of identity federation that is currently being discussed by commercial organizations and governments, with both the public and private sector recognizing the potential value that could be gained.66 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • For private users, making federation work as securely as possible is extremely important. In thiscontext, trust remains a key issue. Standards organizations and commercial suppliers have developedarchitectures and tools to encourage federated identity, but as yet, theyhave failed to adequately address the trust issues. For private users,Microsoft’s .NET Passport was an early example of a supposedly trusted making federationsource that would provide the ability to work with both a common and work as securely assecure set of user credentials, and open standards developed by the possible isLiberty Alliance were also prominent at the time. Perhaps because of theirproprietary nature, or more likely because of a lack of trust, these early extremelyapproaches failed. important.OpenID is addressing some of the early adopter issues for public andprivate identity usageThe OpenID initiative remains the current usage contender. It is a decentralized SSO authenticationsystem for the Internet and its objective is to enable users to log on to websites using a single secureidentity. To achieve this, users must initially register with a website that supports OpenID. For example,AOL users can make use of their existing identities, because AOL already supports OpenID. There areover a quarter of a billion OpenIDs in existence, and well over 10,000 websites that accept them.OpenID is at the early adopter stage, but as usage matures, it is likely to become more commerciallyattractive as a trusted identity provider service. Important operational and security issues that need tobe resolved include domain name server (DNS) spoofing weaknesses. The adoption of closer SAMLlinks would be advantageous.5.4 Making better use of standards is the wayforwardStandards organizations are developing architectures and tools toencourage federated identityThe successful delivery of federated identity across the shared domains of business partners relies on SSOthat can be used with different infrastructures and a common and acceptably secure authenticationapproach. A common approach is required because it has to be acceptable to all parties that allow accessto their systems and secure enough to satisfy each organization’s risk profile and compliance requirements.The demand for a Because of its consistent approach, SSO is the key enabling technology for the delivery of FIM and is the point at which the development of federatedconsistent set of identity standards begins.standards that will If organizations wish to access the information systems of their businessallow organizations partners or share the content of their own information systems withto participate in authorized parties, there is a compelling argument to have in placefederated standards that will allow singly sourced user access across all domains.relationships with Furthermore, the requirement should be capable of evolving beyondbusiness partners individual project collaborations. It should take in the requirement for a standards-based approach to SSO that can be accepted by allhas existed for organizations that choose to participate. Hence, the various circle of trustseveral years. approaches that have already been discussed.The demand for a consistent set of standards that will allow organizations to participate in federatedrelationships with business partners has existed for several years. Some progress has been made,albeit initially vendor-driven and grouped around existing alliances between interested identitymanagement and web access security groups such as OASIS, Liberty, and WS-I. CHAPTER 5: FEDERATED IDENTITY 67
  • OASIS and Liberty provided the lead in developing standards for federated identity SAML is the driving force SAML is the mature XML-based standard, defined by OASIS. It is now in its third major release (v2.0) and is used to support the management and use of identities that need to be portable across organizational boundaries and to separate websites. Its use is designed to Trusted assertions support secure B2B and B2C transactions. are a key concept in Trusted assertions are a key concept in SAML. They represent a claim that SAML. is made when an identity wants to access something such as a website or application, and undertake a task. Importantly, at the point of access, assertions can be challenged and within the common rules of a federated relationship, found to be acceptable or not. To achieve these objectives, SAML specifies three components: assertion, One of the core protocol, and binding. Within these components there are three assertion strengths of SAML is subsets: authentication, attribute, and authorization. Authentication assertion validates the user’s identity, attribute assertion contains specific its ability to information about the user, and authorization assertion identifies what the interoperate with user is authorized to do. Hence, the direct associations with federated multiple identity, where protocols define how SAML asks for and receives assertions communications and binding controls how SAML message interactions are mapped to protocols... Simple Object Access Protocol (SOAP) exchanges. One of the core strengths of SAML is its ability to interoperate with multiple communications protocols, including hypertext transfer protocol (HTTP), simple mail transfer protocol (SMTP), file transfer protocol (FTP) and also support the key operational protocols such as SOAP, BizTalk, and electronic business XML (ebXML). Liberty adds solidarity and consistency Not always as swiftly as business organizations would have liked, but solidly and consistently, the Liberty Alliance has worked to improve the way that identity management has developed. Its strategic approach has allowed the Liberty Alliance to focus attention on current and emerging issues in identity. The special interest structure of the organization has enabled the development of expert groups that focus on specific areas, producing output for public consumption including technical specifications, white papers and policy guidelines. The areas covered by Liberty special interest groups include vertical and horizontal identity management issues such as healthcare identity management, e-government, identity assurance, identity theft, and federated identity. Liberty was formed by a consortium of mainstream technology vendors and end-user organizations. The early work undertaken by its special interest group for FIM focused on its associations with OASIS and on defining, improving, and extending its own standards and how these would work with SAML. Now operating under the Kantara umbrella (from mid-2009, Liberty transitioned its responsibilities to the Kantara Initiative), the ongoing requirement is to tighten its SAML definitions and add value by incorporating specific web services security standards that are supported by major players, including IBM and Microsoft. Through the achievements of various Liberty Alliance special interest groups, frameworks that address federation, identity assurance, identity governance and identity web services have been developed and released. Conflicting issues remain and still need to be addressed, but for a period of almost a decade, Liberty took overall responsibility for developing usable standards for FIM.68 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Liberty promoted ID-FF, ID-WSF, ID-WSF DST and ID-SISFIM was an early driver behind the formation of the Liberty Alliance in 2001. Its approach to thedevelopment of standards recognizes the importance of collaboration,trust, and agreement within B2B relationships and the need for common The latest ID-FFidentity convergence. One of the FIM group’s last acts before the handover specificationfrom Liberty to Kantara was to submit the final version of specifications foridentity federation framework (ID-FF) 1.2, to OASIS for inclusion in SAML contains the core2.0. requirements thatThe latest ID-FF specification contains the core requirements that allow for allow for thethe creation of a standardized, multi-vendor identity federation network. creation of aThe group also confirmed support for SAML 2.0 in its identity web services standardized, multi-framework (ID-WSF) standards, thereby completing the solution cycle for vendor identityweb services down to deployment level. federation network.The importance of the FIM standards work that Liberty has undertakensince its inception cannot be overstated, and can be better understood by detailing the respective rolesof its core initiatives:ID-FFThe Identity federation framework supports the sharing of an entity’s identity between domains to facilitate SSO between consenting parties in a federated relationship. It specifies the requirements for using a common authentication approachThe Identity across multiple sites within an organization, and can also be used to extendfederation collaborative relationships across third-party domains using openframework supports standards.the sharing of an A federated network identity can be defined as the combination of differententity’s identity identities: passwords, software and hardware tokens, and other attributesbetween domains to known to all the organizations that are part offacilitate SSO an agreement to provide collaborative The identity webbetween consenting services. Liberty’s ID-FF architecture describes a schema that is intended to provide services frameworkparties in a each identity holder with common and provides a set offederated consistent control, better privacy, and fewer specifications thatrelationship. requests for the reconfirmation of their support and credentials. promote the use ofID-WSF secure webThe identity web services framework provides a set of specifications that services.support and promote the use of secure web services. ID-WSF wasdeveloped as part of Liberty’s phase two specifications which added to the earlier ID-FF release. As hasalready been identified, ID-FF focuses on federating the user’s authentication and SSO, whereas ID-WSF defines specifications for web services in a federated environment.Among the key issues addressed by ID-WSF specifications is that of maintaining a federatedenvironment for establishing trust between all participating entities without the need to reveal aparticipating user’s identity. The diagram in Figure 5.4.1, provided by the Liberty Alliance, illustrates therelationship between entities in such an environment and adds a practical structure to the conceptualcircle of trust diagrams shown earlier in the paper.Important drivers within ID-FF and ID-WSF include separate roles for service providers and identityproviders. Although not necessarily different entities, in their role of identity provider, theseorganizations can perform the initial authentication and vouch for the customer to the service provider.To make this approach work, other service providers would then need to trust the identity provider. CHAPTER 5: FEDERATED IDENTITY 69
  • Service provider Web content Games Merchant site Principal ... Identity-based Customer web service provider Employee Game user ... Geolocation Payment ... Circle of trust Identity provider Authentication Federation Discovery service Personal profile ... Figure 5.4.1: Relationships within a circle of trust Source: Liberty Alliance (Kantara) ID-WSF DST The identity web services framework, data services template (ID-WSF-DST) framework specifies the data layer that can be extended by any instance of a data service. An example of a data service could be an online corporate directory. When a user needs to contact a colleague, they can conduct a search based on the individual’s name and other known elements of their corporate identity. The data service returns information associated with that individual. Information provided could include office location, contact number, job title, and department. ID-WSF- DST provides the data model and required message interfaces. Figure 5.4.2 illustrates how the Liberty access manager uses the ID-WSF-DST framework for data services. The web services framework in access manager uses the Liberty ID-WSF-DST to develop data services. Within the framework, Liberty access manager, personal profile service (PPS) and Liberty employee profile service (EPS) were developed on top of the web services framework, and allow additional data services to be developed by end-user organizations.70 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Liberty ID-SIS data services Liberty Liberty Liberty personal profile personal profile personal profile service service service Liberty ID-WSF data services template specification Discovery SOAP service bindingLiberty web services frameworkFigure 5.4.2: Liberty identity web services,data services template framework Source: Liberty Alliance (Kantara)ID-SISThe Liberty identity service interface specification (ID-SIS) operates with ID-WSF and ID-FF to providenetworked identity services, such as contacts, presence detection, and directory services, that dependon the consistent use of a network identity.The SIS component contains two relevant specifications. Firstly, ID-SIS personal profile (ID-SIS PP),which is a web-service-based offering. It provides user profile information such as name, identity, andcontact information. It can also contain contact numbers, email details and other information such asemployment and public key details. The second component, ID-SIS employee profile (ID-SIS EP), is aweb service that provides basic employee profile information using the same structure as the ID-SISPP approach. CHAPTER 5: FEDERATED IDENTITY 71
  • The role of the Liberty Alliance has transitioned to Kantara and OASIS, and other interest groups are co-operating The future of federated identity standards is transitioning from being under the control of a number of disconnected groups that for many years had gone their own way. Some progress is being made toward a position where these groups are working together to collaborate on common areas of interest. OASIS with SAML, and Kantara (formerly the Liberty Alliance) with its federated identity interest group work, are becoming increasingly integrated in their approaches. Of late, there has also been a closing of the gap between the WS-Federation and the rest. However, nervousness remains that future developments may not continue in the same direction and there will remain a need for the suppliers of IAM- and FIM-based technology solutions to continue to incorporate the contributions from all major standards authorities. 5.5 Recommendations Recommendations for enterprises The use of good-quality FIM technology allows business organizations to run lean and efficient supply systems. Organizations continue to look for innovative and effective ways to deliver their services. The automation of operational systems and the ability to collaborate and share information using FIM is one way of achieving these objectives. FIM technology can be used to create local as well as global interoperability between online businesses and trading partners using agreed identity management approaches. Recommendations for vendors Competing vendors and end-user organizations have taken too long to agree on unifying IAM and FIM standards. Better and more effective answers are still needed. Vendors continue to give the deployment of federated identity solutions a high priority, but must address the fundamental cost and complexity issues that are slowing down take-up. To address business resistance to FIM, vendors need to work towards developing federation technology that can sit alongside their existing identity management SSO and provisioning deployments as an easier-to-use and simpler-to-deploy package.72 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 6: Technology comparison WWW.OVUM.COM
  • 6.1 SummaryCatalystTo provide a comprehensive analysis of the competitive landscape in the identity and accessmanagement (IAM) market, Ovum has developed its IAM Decision Matrix. This report exploresthe competitive dynamics within the IAM market and helps businesses select a vendor based ontechnology strength, impact in the market, and reputation among customers. Ovum provides acomplete view of vendor capabilities and advises on those you should explore, consider, andshortlist.Ovum viewThe core elements of the IAM market are considered to be mature. However, vendor investment andinnovation carries on as the leading vendors continue to acquire additional technology and extend thescope of the market. Several software conglomerates dominate the IAM sector and over the last threeyears, the number of specialists has declined. However, a number of smaller best-of-breed playersremain to serve specific niches areas, such as strong authentication, provisioning services, andprivileged user controls. Ovum believes that there is the potential for some of these specialist vendorsto compete and grow their market share.Key messagesThe following trends summarize the competitive dynamics of the IAM market: CA, IBM, Novell and Oracle provide the most extensive technology solutions, and as such, dominate the sector. Competition between the leading players is strong, especially in highly regulated verticals such as financial services, healthcare, and government. Although vendors prefer to talk about large-scale, enterprise-wide deployments, the majority of IAM implementations remain at a strategic level. Microsoft has achieved good penetration in the small to medium enterprise markets. RSA remains the dominant player in enterprise authentication. Entrust, Evidian, and Hitachi represent the smaller IAM vendors, but should be seriously considered because of the impressive nature of their respective IAM suites. BMC does not have a technology audit in this report because its IAM strategy has changed. It now markets its IAM product as a component of its Business Service Management (BSM) offering. CHAPTER 6: TECHNOLOGY COMPARISON 75
  • 6.2 IAM Features Matrix Features Matrix methodology Through a combination of one-to-one interviews, product evaluation, and deep background research, Ovum analysts have compiled a comparative product analysis and comprehensive features matrix across nine major IAM categories: Authentication technology covers specific areas such as the provision of strong authentication, biometrics, token-based solutions, smartcard authentication, support for mobile devices, and the ability to support physical and logical authentication using a single approach. Enterprise and web single sign-on (SSO) breaks down into SSO capabilities to cover the key areas of enterprise SSO and web SSO. User provisioning and role management deals with the requirements to set up, maintain, and ultimately remove services from individuals and user groups, and also covers the need for role- based management services. Password management takes into account core identity management services that cover areas such as password frequency change controls, content controls, structure controls, and the automatic generation of system controlled passwords. Access control covers key IAM capabilities such as centrally controlled access management, policy- and rules-driven controls, administrator rights, and the ability to reduce and control specific administrator capabilities, including the segregation of duties. Federated identity management (FIM) deals with the control of inter-company and third-party relationships covering issues such as support for members of a federated circle of trust, contact relationships with partners, and the provision of support for local policy controls as users move across third-party facilities. Administration and policy management covers both central and locally controlled and delegated administration responsibilities. Infrastructure supported covers a wide variety of areas, including directories, operating systems, application platforms, web servers, and communications protocols. Standards and authorities. A wide range of appropriate authorities and standards such as Kantara (formerly the Liberty Alliance), Security Assertion Markup Language (SAML) and a whole host of others are compared.76 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Features Matrix CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)AUTHENTICATION TECHNOLOGYAuthentication Two-factor O Y Y Y Ycapabilities authenticationsupported: Token-based A Y Y A Y authentication Smartcard A O Y A A authentication Mobile and smartphone based device A Y O Y A authentication Physical and Logical authentication from a A A Y Y A single approach or device Use of variable authentication levels depending on the Y Y Y Y Y actions that the user wishes to performAuthentication types Fixed Passwords Y Y Y Y Yand secure access One-time generatedchannels owned and Y Y Y Y Y Passwordsdelivered as part ofthe core IAM Smartcard Y Y Y Y Asolution: authentication Biometrics Y A Y Y A Mutual Grid Authentication (serial Y Y N N Y number and location reply) Mutual Site Validation (site validates unique Y Y N N Y response back to user) TAN and paper-based Transaction Y Y N Y Y Authentication Machine Authentication (user pre-registered Y Y N N Y machines) Scratch Cards Y Y N Y Y Certificates X.509 Y Y Y Y Y GrIDsure N N N N Y authentication Knowledge-based Authentication Y Y Y Y Y (previously registered responses) Other important authentication forms Y Y Y Y 0 supported: Risk-based Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 77
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products AUTHENTICATION TECHNOLOGY Authentication Two-factor Y Y Y Y capabilities authentication supported: Token-based Y Y A Y authentication Smartcard Y Y A Y authentication Mobile and smartphone based device A Y A Y authentication Physical and Logical authentication from a A Y A N single approach or device Use of variable authentication levels depending on the Y Y Y Y actions that the user wishes to perform Authentication types Fixed Passwords Y Y Y Y and secure access One-time generated channels owned and Y Y Y Y Passwords delivered as part of the core IAM Smartcard Y Y A Y solution: authentication Biometrics O Y A A Mutual Grid Authentication (serial N Y N Y number and location reply) Mutual Site Validation (site validates unique N Y Y Y response back to user) TAN and paper-based Transaction N Y N N Authentication Machine Authentication (user pre-registered Y Y Y Y machines) Scratch Cards A Y A N Certificates X.509 Y Y Y Y GrIDsure A N N N authentication Knowledge-based Authentication Y Y Y Y (previously registered responses) Other important authentication forms O N Y Y supported: Risk-based Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.78 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)ENTERPRISE AND WEB SINGLE SIGN-ON (SSO)FOR ENTERPRISE SSO USAGEProvide Support for: Centrally managed Y A Y Y Y SSO services Distributed and locally delegated SSO Y A Y Y Y services Desktop and laptop Y A Y Y Y SSO access Employee access Y A Y Y Y Fixed term access with automated de- Y A Y Y Y provisioning (e.g. contractor access) Customer access Y A Y N Y Partner organization Y A N N Y accessProvide Facilities Trusted internal Y A Y Y Yacross: networks Trusted external Y A Y Y Y enterprise networks Trusted partner Y A Y Y Y networks Authorised B2B Y A Y Y Y networks Support for application N A N Y Y level SSO Support for mobile sessions across different workstations N A N N Y (e.g. healthcare workers)Security facilities Provision of Encrypted Y A Y N Yavailable: Directory Protection Secure login services – use of secure login Y A Y Y Y scripts Minimum SSO standards – use of two- Y A Y N Y factor Authentication Logoff warning settings Y A Y N Y individual user or group Y A Y N Y time settings Automated terminal locks based on the use Y A N N Y of proximity cards Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 79
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) FOR ENTERPRISE SSO USAGE Provide Support for: Centrally managed Y Y Y N SSO services Distributed and locally delegated SSO Y Y Y N services Desktop and laptop Y Y O N SSO access Employee access Y Y Y N Fixed term access with automated de- Y Y Y N provisioning (e.g. contractor access) Customer access Y Y Y N Partner organization Y Y Y N access Provide Facilities Trusted internal Y Y Y N across: networks Trusted external Y Y Y N enterprise networks Trusted partner Y Y Y N networks Authorised B2B Y Y Y N networks Support for application Y Y Y N level SSO Support for mobile sessions across different workstations Y Y O N (e.g. healthcare workers) Security facilities Provision of Encrypted Y Y Y N available: Directory Protection Secure login services – use of secure login Y Y Y N scripts Minimum SSO standards – use of two- Y Y Y N factor Authentication Logoff warning settings Y Y Y N individual user or group Y Y Y N time settings Automated terminal locks based on the use A N N N of proximity cards Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.80 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued)FOR WEB SSO USAGEProvide Support for: Web-based employee Y Y Y A Y access Business partner Y Y Y A Y access Known customer/client Y Y Y A Y access Unknown customer Y N Y A Y access Centrally managed Y Y Y A Y SSO services Distributed and locally Y Y Y A Y controlled SSO services SAML Y Y Y A Y WS Federation Y N A A YProvides extended Software as a Service Y Y Y A YSupport for: (SaaS) environments Outsourced services Y Y Y A Y Out-of-the-box Integration with other N Y Y A Y third-party Access Management systems Two factor Y Y Y A Y authentication Tokens that carry user Y Y Y A Y identity information Working within Web Y Y Y A Y services environmentsSecurity facilities Secure login services –available: use of secure login Y Y Y A Y scripts Logoff warning settings Y Y Y A Y The creation and use Y Y Y A Y of security certificates Operate as a WS-Trust N N A A Y Security Token Service Allow the importation and creation of Y Y Y A Y user/partner security certificates Accept and support automatic notifications when user/partner Y Y A A Y security certificates are about to expire Controlling user access to web services Y Y A A Y through the corporate SSO infrastructure Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 81
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued) FOR WEB SSO USAGE Provide Support for: Web-based employee Y Y Y Y access Business partner Y Y Y Y access Known customer/client Y Y Y Y access Unknown customer Y Y Y Y access Centrally managed Y Y Y Y SSO services Distributed and locally Y Y Y Y controlled SSO services SAML Y Y Y Y WS Federation Y Y Y Y Provides extended Software as a Service Y A Y Y Support for: (SaaS) environments Outsourced services Y Y Y Y Out-of-the-box Integration with other Y N Y Y third-party Access Management systems Two factor Y Y Y Y authentication Tokens that carry user Y N Y Y identity information Working within Web Y Y Y Y services environments Security facilities Secure login services – available: use of secure login Y Y Y Y scripts Logoff warning settings Y Y Y Y The creation and use Y Y Y Y of security certificates Operate as a WS-Trust Y Y Y Y Security Token Service Allow the importation and creation of Y Y Y Y user/partner security certificates Accept and support automatic notifications when user/partner Y Y Y Y security certificates are about to expire Controlling user access to web services Y Y Y Y through the corporate SSO infrastructure Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.82 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)USER PROVISIONINGProvisioning facilities Provisioning Rules Y Y Y Y Yprovided: Engine Centrally managed, administrator controlled Y Y Y Y Y provisioning and de- provisioning services Delegated and locally managed provisioning Y Y Y Y Y services Permission-based, self- service provisioning Y Y Y Y Y facilities Organization defined Y Y Y Y Y provisioning workflowsProvisioning Setup andServices: management of master Y A Y Y Y and associated directories Automated set up of users based on Y A Y Y Y predefined job, role, work group templates Role-based user Y Y Y Y Y access rights Rule-based user Y Y Y Y Y access rights Unique individual Y Y Y Y Y access rights Provisioning based on previously available N Y N Y Y access rights Group and departmental user Y A Y Y Y provisioning Third party user access Y A Y Y Y accounts Resolution of access rights between people Y A Y Y Y with the same user id Automatic links to HR information for records Y A Y Y Y update Automated links to the creation of user Y A Y Y Y mailboxes Merger of access rights from different identity management systems Y A Y Y A (e.g. following acquisitions) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 83
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products USER PROVISIONING Provisioning facilities Provisioning Rules Y Y Y A provided: Engine Centrally managed, administrator controlled Y Y Y A provisioning and de- provisioning services Delegated and locally managed provisioning Y Y Y A services Permission-based, self- service provisioning Y Y Y A facilities Organization defined Y Y Y A provisioning workflows Provisioning Setup and Services: management of master Y Y Y A and associated directories Automated set up of users based on Y Y Y A predefined job, role, work group templates Role-based user Y Y Y A access rights Rule-based user Y Y Y A access rights Unique individual Y Y Y A access rights Provisioning based on previously available Y Y Y A access rights Group and departmental user Y Y Y A provisioning Third party user access Y Y Y A accounts Resolution of access rights between people Y Y Y A with the same user id Automatic links to HR information for records Y Y Y A update Automated links to the creation of user Y Y Y A mailboxes Merger of access rights from different identity management systems Y Y Y A (e.g. following acquisitions) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.84 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)USER PROVISIONING (continued)Provisioning facilities Automated workflow forprovided (continued): authorising and processing user Y A Y Y Y resource access requests Incorporate the control of access to cloud services into the Y N A Y A enterprise provisioning process Ensuring that only users registered in the Y N N Y Y enterprise directory can use cloud servicesDe-provisioning Managed (policy-Services: based) de-provisioning Y A Y Y Y services Removal of redundant master and associated Y A N Y Y directories Removal of redundant Y A N Y Y job/role templates Removal of redundant departmental access Y A N Y Y rights Removal of selected individual users and all Y Y Y Y Y associated access links Removal of selected individual account Y A Y Y Y rights from a user Control over the de- provisioning of third- Y A Y Y Y party users Rules-based automated de- Y A Y Y Y provisioning/account disablement facilities Automated user de- provisioned due to Y A Y Y Y expired usage periods Automated de- provisioning of specific Y A Y Y Y entitlements due to expired usage periods User de-provisioned Y A Y Y Y using HR leavers list De-provisioning of associated user Y A Y Y Y mailboxes for leavers Automated user de- provisioned as a Y A A A Y response to suspect activities Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 85
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products USER PROVISIONING (continued) Provisioning facilities Automated workflow for provided (continued): authorising and processing user Y Y Y A resource access requests Incorporate the control of access to cloud services into the Y Y Y A enterprise provisioning process Ensuring that only users registered in the Y Y Y A enterprise directory can use cloud services De-provisioning Managed (policy- Services: based) de-provisioning Y Y Y A services Removal of redundant master and associated Y Y Y A directories Removal of redundant Y Y Y A job/role templates Removal of redundant departmental access Y Y Y A rights Removal of selected individual users and all Y Y Y A associated access links Removal of selected individual account Y Y Y A rights from a user Control over the de- provisioning of third- Y Y Y A party users Rules-based automated de- Y Y Y A provisioning/account disablement facilities Automated user de- provisioned due to Y Y Y A expired usage periods Automated de- provisioning of specific Y Y Y A entitlements due to expired usage periods User de-provisioned Y Y Y A using HR leavers list De-provisioning of associated user Y Y Y A mailboxes for leavers Automated user de- provisioned as a O Y Y A response to suspect activities Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.86 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)USER PROVISIONING (continued)De-provisioning Automated update linksServices (continued): to company archiving N A Y Y Y facilities Automated de- provisioning from SaaS, Y A Y Y A PaaS, and IaaS services Incorporate the removal of access to cloud services into the Y N A Y Y enterprise de- provisioning processReporting and Reporting (alerts,Alerting Facilities: e-mails, or reports) Y Y Y Y Y when new user access rights are created Reporting when user/ Y Y Y Y Y account changes occur Reporting when de- provisioning activity Y Y Y Y Y takes place Generation of full audit trail reporting Y Y Y Y Y maintained to support change management Provision of customized Y Y Y A Y reporting facilitiesProvision of: Systems activity Y Y Y Y Y reports Dormant account Y A Y Y Y reports Failed access reports Y Y Y Y Y Policy-based reporting Y A Y Y Y Policy-based management reporting Y A Y Y Y for administrators Regular management Y A Y Y Y reporting Policy-based Y A Y Y Y management alertsWorkflow Facilities: Is workflow provide as a core component of O Y Y Y Y the provisioning solution Can workflow activity be pre-configured and Y Y Y Y Y automated Does the workflow system support real- Y Y Y Y Y time owner interactions Can external and third- party workflow be Y A Y Y Y imported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 87
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products USER PROVISIONING (continued) De-provisioning Automated update links Services (continued): to company archiving O Y Y A facilities Automated de- provisioning from SaaS, Y Y Y A PaaS, and IaaS services Incorporate the removal of access to cloud services into the Y Y Y A enterprise de- provisioning process Reporting and Reporting (alerts, Alerting Facilities: e-mails, or reports) Y Y Y A when new user access rights are created Reporting when user/ Y Y Y A account changes occur Reporting when de- provisioning activity Y Y Y A takes place Generation of full audit trail reporting O Y Y A maintained to support change management Provision of customized Y Y Y A reporting facilities Provision of: Systems activity O Y Y Y reports Dormant account O Y Y A reports Failed access reports O Y Y Y Policy-based reporting O Y Y Y Policy-based management reporting O Y Y Y for administrators Regular management O Y Y Y reporting Policy-based Y Y Y Y management alerts Workflow Facilities: Is workflow provide as a core component of Y Y Y A the provisioning solution Can workflow activity be pre-configured and Y Y Y A automated Does the workflow system support real- Y Y Y A time owner interactions Can external and third- party workflow be Y Y Y A imported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.88 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)PASSWORD MANAGEMENTPassword Provision of passwordManagement: frequency change Y Y Y Y Y controls Provision of password Y Y Y Y Y structure controls Automatic generation of system controlled Y Y Y Y Y passwords Provision of frequency change controls for Y Y Y Y Y user security questions Control over password Y Y Y Y Y reuse Control over password Y Y Y Y Y reset policy Provision of password Y Y Y Y Y encryption facilities Special management facilities to control and Y N N Y Y identify privileged usersSelf-service Generation of new userCapabilities and associated Y Y Y Y YSupported: passwords Set up of passwords for additional systems Y Y Y Y Y resources The reset of lost and Y Y Y Y Y forgotten passwords Generation of rules- based random Y Y Y Y Y passwords Scheduled password Y Y Y Y Y changes Unscheduled password Y Y Y Y Y changes Test password/ confirmation facility Y Y Y Y Y prior to change Modification of user Y Y Y Y Y security questions Locking and unlocking Y Y Y Y Y of user accounts Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 89
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products PASSWORD MANAGEMENT Password Provision of password Management: frequency change Y Y Y Y controls Provision of password Y Y Y Y structure controls Automatic generation of system controlled Y Y Y Y passwords Provision of frequency change controls for Y Y Y Y user security questions Control over password Y Y Y Y reuse Control over password Y Y Y Y reset policy Provision of password Y Y Y Y encryption facilities Special management facilities to control and Y N Y N identify privileged users Self-service Generation of new user Capabilities and associated Y Y Y Y Supported: passwords Set up of passwords for additional systems Y Y Y Y resources The reset of lost and Y Y Y Y forgotten passwords Generation of rules- based random Y Y Y Y passwords Scheduled password Y Y Y Y changes Unscheduled password Y Y Y Y changes Test password/ confirmation facility O Y Y Y prior to change Modification of user Y Y Y Y security questions Locking and unlocking Y Y Y Y of user accounts Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.90 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)PASSWORD MANAGEMENT (continued)Security Features: Alerts/confirmations sent when passwords Y Y Y Y Y change Alerts sent when maximum failed access Y Y Y Y Y attempts exceeded Alerts sent when access timeouts Y Y N Y Y exceeded Alerts sent to user prior Y Y Y Y Y to password expiry Automatic Alerts for administrators on Y Y N Y Y dormant accounts Report information generated when Y Y Y Y Y password details change Report information generated when Y Y Y Y Y password anomalies occur Audit trail information generated when Y Y Y Y Y password details change Full Audit trail information generated Y Y Y Y Y on all password actions Automatic lock out when access rules are Y Y Y Y Y breached Hardened HSM black Y Y Y A N box protectionWorkflow: Can workflow be used to provide across system Y Y Y Y Y synchronisation when passwords change Is workflow a core component of the Y Y Y Y Y password management solution Can workflow activity be pre-configured and Y Y Y Y Y automated Does the workflow system support real- Y Y Y Y Y time owner interactions Is external and third- party workflow Y Y Y Y Y supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 91
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products PASSWORD MANAGEMENT (continued) Security Features: Alerts/confirmations sent when passwords Y Y Y Y change Alerts sent when maximum failed access Y Y Y Y attempts exceeded Alerts sent when access timeouts Y Y Y Y exceeded Alerts sent to user prior Y Y Y Y to password expiry Automatic Alerts for administrators on Y Y Y Y dormant accounts Report information generated when Y Y Y Y password details change Report information generated when Y Y Y Y password anomalies occur Audit trail information generated when Y Y Y Y password details change Full Audit trail information generated Y Y Y Y on all password actions Automatic lock out when access rules are Y Y Y Y breached Hardened HSM black Y N Y Y box protection Workflow: Can workflow be used to provide across system Y Y Y A synchronisation when passwords change Is workflow a core component of the Y Y Y A password management solution Can workflow activity be pre-configured and Y Y Y A automated Does the workflow system support real- Y Y Y A time owner interactions Is external and third- party workflow Y Y Y A supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.92 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)PASSWORD MANAGEMENT (continued)Workflow Can workflow provide(continued): across enterprise Y Y Y Y Y automated password update capabilities Can workflow be used to deliver across enterprise systems Y Y Y Y Y pass-through capabilitiesACCESS CONTROLDo the Range of Server-based access Y Y Y Y YAccess Control controlsfacilities supported Centrally controlledinclude: Access Management – Y Y Y Y Y central console management Policy-driven user Y Y Y Y Y access controls Blocking of anonymous Y N N Y Y privileged user access Audit and reporting of Y N Y Y Y privileged user actions Controls to reduce specific administrator Y Y Y Y Y rights The ability to enforce segregation of Y Y Y Y Y administrator duties Controls to delegate limited administrator Y Y Y A Y rights down to local administrators Controls to regulate systems and database Y N A Y Y manager access privileges Identity-based access Y Y Y A Y to web services Legacy application Y Y Y Y Y access Control over web Y Y Y A Y browser access Control over web Y Y Y A Y browser access Control over portal Y Y Y A Y access Status controls over end-user devices (AV N N N A N patch management status, etc.) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 93
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products PASSWORD MANAGEMENT (continued) Workflow Can workflow provide (continued): across enterprise Y Y Y A automated password update capabilities Can workflow be used to deliver across enterprise systems Y Y Y A pass-through capabilities ACCESS CONTROL Do the Range of Server-based access Y Y Y Y Access Control controls facilities supported Centrally controlled include: Access Management – Y Y Y Y central console management Policy-driven user Y Y Y Y access controls Blocking of anonymous O N A Y privileged user access Audit and reporting of Y N Y N privileged user actions Controls to reduce specific administrator Y Y Y Y rights The ability to enforce segregation of Y Y Y Y administrator duties Controls to delegate limited administrator Y Y Y Y rights down to local administrators Controls to regulate systems and database Y Y Y N manager access privileges Identity-based access Y Y Y Y to web services Legacy application Y Y Y Y access Control over web Y Y Y Y browser access Control over web Y Y Y Y browser access Control over portal Y Y Y Y access Status controls over end-user devices (AV Y Y N N patch management status, etc.) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.94 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)ACCESS CONTROL (continued)Do the Range of Fully federated accessAccess Control control capabilities for Y Y Y A Yfacilities supported external usersinclude (continued): Combined physical and N N Y Y Y logical access control Access controls to virtual machines and Y N N Y Y stored VM images Supports IBM RACF (Resource Access Y Y Y Y Y Control Facility) Supports CA-ACF2 Y N N Y Y (eTrust) Supports CA TopSecret Y N N Y YSupport for Policy- Individual accessbased Controls Over controls at system Y Y Y Y YUsers and Systems: login Regulated access controls for systems resources – systems, Y Y Y Y Y processes, and programs Time-based access Y Y Y Y Y controls User location based Y Y Y Y Y access controls Control over local policies for access Y Y Y A Y control lists Control over local policies for user Y Y Y A Y accounts Control over systems Y Y Y A Y policies Control over web N Y Y A Y server policy Control over Y Y Y A Y application policy Support for a hierarchical approach Y Y Y A Y to the distribution of policy updates Support for the automated distribution Y Y Y A Y of new and updated access control policies Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 95
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products ACCESS CONTROL (continued) Do the Range of Fully federated access Access Control control capabilities for Y Y Y Y facilities supported external users include (continued): Combined physical and A Y Y N logical access control Access controls to virtual machines and Y Y N N stored VM images Supports IBM RACF (Resource Access A Y 0 A Control Facility) Supports CA-ACF2 A Y 0 N (eTrust) Supports CA TopSecret A Y 0 N Support for Policy- Individual access based Controls Over controls at system Y Y Y N Users and Systems: login Regulated access controls for systems resources – systems, Y Y Y N processes, and programs Time-based access Y Y Y Y controls User location based Y Y Y Y access controls Control over local policies for access Y Y Y N control lists Control over local policies for user Y Y Y N accounts Control over systems Y Y Y N policies Control over web Y Y Y Y server policy Control over Y Y Y Y application policy Support for a hierarchical approach Y Y Y Y to the distribution of policy updates Support for the automated distribution Y Y Y Y of new and updated access control policies Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.96 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)FEDERATED IDENTITY MANAGEMENTFederated services The facilities to supportinclude: federated network Y Y Y A Y identity The provision of open SSO facilities that Y Y Y A Y support decentralised authentication The provision of open SSO facilities that Y Y N A Y support authorisations from multiple providers The provision of SSO support for members of Y Y Y A Y a federated Identity management group The provision of SSO support for members of Y Y Y A Y a federated circle of trust Support for direct user contact with a third- party services provider Y N Y A Y that can then be passed through to other third-parties The provision of support for local policy controls as users move Y N Y A Y across third-party web facilities Service provider interaction/notification Y Y A A Y when federated relationships change The provision of notifications to other third-parties when user Y Y A A Y accounts are terminated by the identity provider The provision of up-to- date lists of authorised users to other third- Y Y A A Y parties in a federated relationship The provision of fully anonymous or Y Y A A Y temporary anonymous identities Support for open navigation between identity providers (click- Y Y Y A Y through, favourites, bookmarks, URL address bars, etc.) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 97
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products FEDERATED IDENTITY MANAGEMENT Federated services The facilities to support include: federated network Y Y Y Y identity The provision of open SSO facilities that Y Y Y Y support decentralised authentication The provision of open SSO facilities that Y Y Y Y support authorisations from multiple providers The provision of SSO support for members of Y Y Y Y a federated Identity management group The provision of SSO support for members of N Y Y Y a federated circle of trust Support for direct user contact with a third- party services provider Y Y Y Y that can then be passed through to other third-parties The provision of support for local policy controls as users move Y Y Y Y across third-party web facilities Service provider interaction/notification Y Y Y Y when federated relationships change The provision of notifications to other third-parties when user Y Y Y Y accounts are terminated by the identity provider The provision of up-to- date lists of authorised users to other third- Y N Y Y parties in a federated relationship The provision of fully anonymous or N Y Y Y temporary anonymous identities Support for open navigation between identity providers (click- Y Y Y Y through, favourites, bookmarks, URL address bars, etc.) Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.98 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)FEDERATED IDENTITY MANAGEMENT (continued)Federated services Guarantee theinclude (continued): confidentiality of information exchanged Y Y Y A Y between identity providers Facilitating the mutual authentication of identities between service providers Y Y Y A Y during SSO and authentication processes Support for set minimum authentication Y N Y A Y standards between parties Support for re- authentication where inter-party rules dictate Y N Y A Y that the requested action class requires it Enable the service provider to allow user authentication to come Y Y Y A Y from a third-party identification provider Support the use of a single logout protocol to close all sessions Y Y A A Y that are in use by a particular user Invoking support for different levels of authentication Y Y Y A Y dependent on actions requested Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 99
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products FEDERATED IDENTITY MANAGEMENT (continued) Federated services Guarantee the include (continued): confidentiality of information exchanged Y Y Y Y between identity providers Facilitating the mutual authentication of identities between service providers Y Y Y Y during SSO and authentication processes Support for set minimum authentication Y Y Y Y standards between parties Support for re- authentication where inter-party rules dictate Y Y Y Y that the requested action class requires it Enable the service provider to allow user authentication to come Y Y Y Y from a third-party identification provider Support the use of a single logout protocol to close all sessions Y Y Y Y that are in use by a particular user Invoking support for different levels of authentication Y Y Y Y dependent on actions requested Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.100 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)ADMINISTRATION AND POLICY MANAGEMENTCentral and Locally Centrally controlledDelegated administration Y Y Y Y YAdministration managementControls: Delegated, locally controlled Y Y Y Y Y administration services Centrally controlled – master directory Y Y A Y Y services Delegated, locally controlled – distributed Y N A Y Y directory services Central security Y Y Y Y Y repository Administrator control over end-user machine Y N Y Y Y status and location rulesToken Management: Control the addition of Y Y Y Y Y new token types Control the revocation Y Y Y Y Y of tokens Authorise the issue Y Y Y Y Y and reuse of tokensAudit Trail and Provide user-level audit Y Y Y Y YReporting Facilities: and reporting Provide entitlement level audit and Y Y Y Y Y reporting Provide administrator level audit and Y Y Y Y Y reporting Provide management level audit and Y Y Y Y Y reporting Provide administrator Y Y A Y Y level alerting services Provide administrator level reporting on third- Y N A Y Y party and partner activity Ability to configure reporting to fulfil Y Y Y Y Y specific business needs Report on privileged Y N A Y Y user access and usage Record the use of all cloud services in Y N A Y Y corporate activity logs Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 101
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products ADMINISTRATION AND POLICY MANAGEMENT Central and Locally Centrally controlled Delegated administration Y Y Y Y Administration management Controls: Delegated, locally controlled Y Y Y Y administration services Centrally controlled – master directory Y Y Y Y services Delegated, locally controlled – distributed Y Y Y Y directory services Central security Y Y Y Y repository Administrator control over end-user machine Y Y Y Y status and location rules Token Management: Control the addition of Y Y Y Y new token types Control the revocation Y Y Y Y of tokens Authorise the issue Y Y Y Y and reuse of tokens Audit Trail and Provide user-level audit Y Y Y Y Reporting Facilities: and reporting Provide entitlement level audit and Y Y Y Y reporting Provide administrator level audit and Y Y Y Y reporting Provide management level audit and Y Y Y Y reporting Provide administrator Y Y Y Y level alerting services Provide administrator level reporting on third- A Y Y Y party and partner activity Ability to configure reporting to fulfil A Y N Y specific business needs Report on privileged Y N Y N user access and usage Record the use of all cloud services in N Y N Y corporate activity logs Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.102 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)INFRASTRUCTURE SUPPORTEDKey LDAP directories IBM Y N Y Y Ysupported: Microsoft Active Y Y Y Y Y Directory Open LDAP Y N Y Y Y Novell eDirectory Y Y Y Y Y Oracle Y Y Y Y Y Sun Y Y Y Y Y Other important LDAP Y Y Y N Y directories supportedSecure Storage Hardware Secure N A Y N Y Module (HSM)Database Platforms IBM DB2 Y N Y Y Ysupported: NCR Teradata Y N N Y N OpenLink Virtuoso N N N N N Oracle Y Y Y Y Y Microsoft SQL Server Y Y Y Y Y Sybase Y N Y Y N Other important database platforms Y N Y Y Y supportedOperating Systems IBM AIX Y Y Y Y Ysupported: IBM z/OS Y N N Y Y Sun Solaris Y Y Y Y Y HP-UX Y Y Y Y Y HP OpenVMS Y N N Y N HP Tru64 Y N N Y Y SuSE Linux Y Y Y Y Y Red Hat Linux Y Y Y Y Y Novell Netware and Open Enterprise N N Y Y N Server Windows Y Y Y Y Y Other important operating systems N N N Y Y supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 103
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products INFRASTRUCTURE SUPPORTED Key LDAP directories IBM Y Y Y Y supported: Microsoft Active Y Y Y Y Directory Open LDAP O Y Y N Novell eDirectory Y Y Y Y Oracle Y Y Y Y Sun Y Y Y Y Other important LDAP Y N Y N directories supported Secure Storage Hardware Secure Y Y Y Y Module (HSM) Database Platforms IBM DB2 Y Y Y N supported: NCR Teradata N Y Y N OpenLink Virtuoso N Y Y N Oracle Y Y Y Y Microsoft SQL Server Y Y Y Y Sybase O N Y Y Other important database platforms N N Y N supported Operating Systems IBM AIX N Y Y Y supported: IBM z/OS N Y N Y Sun Solaris N Y Y Y HP-UX N Y Y Y HP OpenVMS N Y N Y HP Tru64 N Y Y N SuSE Linux N Y Y Y Red Hat Linux N Y Y Y Novell Netware and Open Enterprise N Y N N Server Windows Y Y Y Y Other important operating systems N N Y N supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.104 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)INFRASTRUCTURE SUPPORTED (continued)Fully Integrated Oracle Y N Y Y YApplication Platformsupport for: SAP Y N Y Y Y Siebel Y N N Y Y Peoplesoft Y N N Y Y BEA Y Y N Y Y Lawson Y N N Y Y Microsoft Y N Y N Y QAD N N N N N Other important application platforms Y Y N Y Y fully supported SaaS services Y N N Y N supportedWeb Servers Microsoft llS Y Y Y Y Ysupported: Sun One Web Server Y Y N Y Y Lotus Domino Y Y N Y Y IBM HTTP Server Y Y N Y Y Oracle HTTP Server Y Y N Y Y Domino Go Y N Y Y Y Red Hat Apache Y Y Y Y Y ASF Apache Y N Y Y Y Other important web N N N N N servers supportedHelpdesk Systems BMC Remedy Service Y N N Y Ysupported: management Peregrine (HP) Y N N Y N Epicor ITSM Y N N N N FrontRange ITSM Y N N Y N HP Open View Service Y N N Y N Desk CA Unicenter Service Y N N Y N Desk IBM Tivoli Service Y N N Y Y Request Manager Other helpdesk N N N Y N systems supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 105
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products INFRASTRUCTURE SUPPORTED (continued) Fully Integrated Oracle Y Y Y Y Application Platform support for: SAP Y Y Y Y Siebel O Y Y Y Peoplesoft O Y Y Y BEA O Y Y Y Lawson O Y Y Y Microsoft Y Y Y Y QAD O Y N Y Other important application platforms N N Y Y fully supported SaaS services N N Y Y supported Web Servers Microsoft llS Y Y Y Y supported: Sun One Web Server O Y Y Y Lotus Domino Y Y Y Y IBM HTTP Server O Y Y Y Oracle HTTP Server N Y Y Y Domino Go N Y Y Y Red Hat Apache O Y Y Y ASF Apache A N Y N Other important web N N N N servers supported Helpdesk Systems BMC Remedy Service O Y Y N supported: management Peregrine (HP) N Y A N Epicor ITSM N Y A N FrontRange ITSM N Y A N HP Open View Service N Y A N Desk CA Unicenter Service N Y A N Desk IBM Tivoli Service N N A N Request Manager Other helpdesk N N N N systems supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.106 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)INFRASTRUCTURE SUPPORTED (continued)Architectures ODBC Y Y Y Y Ysupported: UDI Y N N N N JDBC Y Y Y N Y ADL N N N N N XAM N N N N N AJAX Y N Y Y Y ECMA N N N Y Y Other important Y N N Y N architectures supportedWeb Access Control IBM – Tivoli Access N N N Y YFacilities Supported: Manager CA – Siteminder Y N N Y Y Sun – Java System N N N Y Y Access Manager RSA – ClearTrust N N N Y Y BMC Web Access N N N N Y Manager Evidian Access N N Y N Y Manager Oracle Access N N N Y Y Manager HTTP protocol controls Y N Y Y Y Use of proxy-based Y N Y Y Y web agents Other important web access control facilities Y N N Y N supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 107
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products INFRASTRUCTURE SUPPORTED (continued) Architectures ODBC Y Y Y Y supported: UDI N Y N Y JDBC N Y Y Y ADL N Y N N XAM N Y N N AJAX Y Y Y Y ECMA N Y N N Other important N N Y N architectures supported Web Access Control IBM – Tivoli Access Y Y Y N Facilities Supported: Manager CA – Siteminder Y Y Y N Sun – Java System Y Y Y N Access Manager RSA – ClearTrust Y Y Y Y BMC Web Access Y Y Y N Manager Evidian Access Y N Y N Manager Oracle Access Y N Y N Manager HTTP protocol controls Y N Y Y Use of proxy-based Y N Y Y web agents Other important web access control facilities N N Y N supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.108 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)STANDARDS AND AUTHORITIESStandards and Kantara – Identity Y Y Y N YAuthorities Assurance FrameworkSupported by the SAFE (Identity ValidationSolution Include: and Interoperability Y Y N Y Y Federation) ITIL (Information Technology Y N Y Y Y Infrastructure Library) ITSM (IT Service Y N Y Y Y Management) ITSEC (Information Technology Security Y Y Y N Y Evaluation Certification)Protocols Supported: SAML (Security Assertion Markup Y Y Y Y Y Language) Microsoft Information Y Y N Y Y Card WS Federation Y N Y Y Y WS-Security Y N Y Y Y RADIUS (Remote Authentication Dial-In Y N Y Y Y User Service) SASL (Simple Authentication and N N Y N Y Security Layer protocol) XACML – eXtensible Access Control Markup N Y Y N Y Language JAAS – Java Authentication and Y N Y N Y Authorisation Services ID-FF – Identity Y N Y N Y Federation Framework ID-WSF – Identity Web N N Y N Y services Framework ID-SIS – Identity Service N N Y N N Interface Specification Kerberos (secure authentication Y Y Y Y Y methodology) FTP A N N Y Y HTTP Y Y Y Y Y SMTP Y N N Y Y WebDav Y N N N Y SOAP Y Y Y Y Y Other important communication Y N N Y Y protocols supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 109
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products STANDARDS AND AUTHORITIES Standards and Kantara – Identity N Y Y Y Authorities Assurance Framework Supported by the SAFE (Identity Validation Solution Include: and Interoperability N Y N Y Federation) ITIL (Information Technology Y Y Y N Infrastructure Library) ITSM (IT Service Y Y N N Management) ITSEC (Information Technology Security Y Y N Y Evaluation Certification) Protocols Supported: SAML (Security Assertion Markup Y Y Y Y Language) Microsoft Information Y Y Y Y Card WS Federation Y Y Y Y WS-Security Y Y Y Y RADIUS (Remote Authentication Dial-In Y Y Y Y User Service) SASL (Simple Authentication and Y Y Y Y Security Layer protocol) XACML – eXtensible Access Control Markup N N Y Y Language JAAS – Java Authentication and N Y Y Y Authorisation Services ID-FF – Identity N Y Y Y Federation Framework ID-WSF – Identity Web N Y Y Y services Framework ID-SIS – Identity Service N Y Y Y Interface Specification Kerberos (secure authentication Y Y Y Y methodology) FTP Y Y Y N HTTP Y Y Y Y SMTP Y Y Y Y WebDav Y Y Y N SOAP Y Y Y Y Other important communication N N N N protocols supported Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.110 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA – CA Entrust – Evidian Hitachi IBM – IBM Identity and Entrust – – Tivoli Access IdentityGuard, Evidian Hitachi- Identity and Management GetAccess, & IAM ID Access Suite Transaction Suite Portfolio Management Guard (version Products 8)STANDARDS AND AUTHORITIES (continued)Smart Card ISO7816 N N Y Y AStandards supported: ISO 14443 N N Y N A ISO 15693 N N Y N A PC/SC N Y Y Y A FIPS-201 Y Y Y Y A HSPD-12 Y Y Y Y ABiometric Standards BioAPI N N Y A Ysupported: BAPI N N Y A N X9.84 N N Y A N CDSA/HRS N N Y A N ANSI/NIST ITL 2000 N N Y A N Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on. CHAPTER 6: TECHNOLOGY COMPARISON 111
  • Microsoft – Novell – Oracle – RSA (The Microsoft Novell Oracle Security Forefront Identity Identity and Division of Identity Manager 4 Access EMC) – RSA Manager 2010 Advanced Management Identity & and Edition Suite – Access Associated Release 11g Management Products STANDARDS AND AUTHORITIES (continued) Smart Card ISO7816 N Y A Y Standards supported: ISO 14443 N N A N ISO 15693 N N A N PC/SC Y Y A Y FIPS-201 N Y Y Y HSPD-12 N Y Y Y Biometric Standards BioAPI N Y Y N supported: BAPI N N A N X9.84 N Y A N CDSA/HRS N N A N ANSI/NIST ITL 2000 N N Y N Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.112 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • 6.3 IAM Decision MatrixThe IAM Decision Matrix is a visual summary of the leading vendors and products in the IAM marketand of their capabilities, based on a quantitative assessment of their market impact and end-usersentiment, as well as their functional reach and technical capabilities. Additionally, the IAM DecisionMatrix guides organizations looking to deploy IAM technologies to the vendors and solutions that theyshould immediately shortlist, consider, or explore.The following definitions are used for each of these recommendations: Shortlist – These vendors’ IAM products should be part of most organizations’ shortlists for IAM technology selection. This category includes the leading solutions, signifying that the vendor has established a commanding market position with a product that is widely accepted as best of breed. Consider – The vendors in this category have strong market positions and are selling and marketing their IAM solutions well. Their products offer competitive functionality and good price and performance, and should be considered as part of the technology selection process of most organizations. Explore – Solutions in this category have narrower applicability, and may have limitations in function or in the vendor’s ability to execute. However, they may still be the best choice to meet specific requirements and thus worth exploring as an organization develops its options. 9 Hitachi 8 Microsoft Sentiment (scale 1-10) 7 IBM Evidian Oracle 6 RSA 5 Novell CA 4 Insufficient end user feedback Entrust 3 2 6.5 7.0 7.5 8.0 8.5 9.0 9.5 Technology assessment (Scale 1-10) Shortlist Consider Bubble size represents Explore market impact Impact = 0 Impact = 10 Insufficient end user feedbackFigure 6.3.1: Identity and AccessManagement Decision Matrix Source: Ovum CHAPTER 6: TECHNOLOGY COMPARISON 113
  • A successful IAM deployment is one that fully supports the organization’s overall identity management, information access, business continuity, and regulatory compliance strategies. Therefore, a decision to purchase one solution over another should be based on a broad array of factors including, but not limited to, the degree of alignment between the solution’s features and functionality and the organization’s specific objectives. As a result, organizations should consider Ovum’s recommendations of shortlist, consider, and explore in the context of their specific business and solution requirements. Within each category the vendor recommendations are listed in alphabetical order. The leaders: CA, IBM, Novell, and Oracle The four IAM majors have the highest scores in the technology dimension and have well-established, mature products. They have the technology breadth and depth and services capabilities to be relevant to the most complex IAM requirements at the largest enterprises. IBM has the highest customer sentiment scores among the four vendors in the Shortlist category. In spite of its scale and the transformational nature of the projects IBM handles, the company has an impressive execution record. Through its Tivoli division IBM has a long presence in the identity-management sector, and has equally well-established credentials in systems management. From a technology and long-term usage standpoint CA is among the largest vendors in the IAM space, it has one of the most comprehensive product portfolios, and has significant market presence across all major industry sectors. Novell’s IAM approach retains a strong focus towards regulatory compliance. Its product portfolio is relevant to all geographies, industry sectors, and enterprises of varying sizes. The traditional heavy users of IAM, namely financial services, the public sector, healthcare, and telecommunications, predictably form an important part of Novell’s installed base. Following the Sun acquisition Oracle has brought together two IAM platforms that were both strong contenders in their own right. It has done a good job of managing customer expectations after what was arguably the largest IAM acquisition in the market to date. Oracle maintains a comprehensive IAM technology stack that merits closer evaluation in most IAM selection processes. All four vendors have a full suite of products and are successfully branching out into areas that are adjacent to IAM and that Ovum believes will be increasingly relevant to IAM projects. Shortlist Consider Explore CA Evidian Entrust IBM Hitachi RSA Novell Microsoft Oracle Figure 6.3.2: Identity and Access Management Decision Matrix (in alphabetical order) Source: Ovum Oracle and Sun Microsystems were both in the ‘Consider’ category in the 2008 edition of the IAM Decision Matrix report. Collectively, the two vendors are now a formidable force and Oracle has moved to the shortlist category. Oracle certainly has scale and broad-based recognition as an IAM vendor, and the company has done a good job managing the inevitable concerns around its technology roadmap following the Sun Microsystems acquisition. Specific guidelines around which product sets would be strategic have been released, and existing users have been assured support for product lines that will not be part of the strategic roadmap. To summarize, enterprises will not be forced to make difficult decisions relating to the Oracle portfolio over the next few years.114 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Predictably, Oracle’s competitors launched a number of programs to benefit from the transition (such asNovell announcing license-swap offers for Sun Microsystems’ IAM solutions). However, our research doesnot indicate that their efforts have changed the market structure in any significant way. Oracle certainly hasone of the fullest IAM stacks now, and customers do not seem to have major concerns around the vendor’sability to manage the transition and the complex, overlapping set of offerings.The challengers: Evidian, Hitachi, and MicrosoftThese vendors are rated in the ‘consider’ category mainly because, although their IAM solutions are strong,they don’t always match the depth, breadth, or resources provided by the ‘shortlist’ group.Hitachi and Evidian are smaller vendors with impressive IAM suites. Hitachi-ID is a new entrant in the IAMDecision Matrix, and the Canada-based IAM subsidiary of the Asia-Pacific giant has impressed with strongcustomer sentiment scores. Hitachi-ID’s technology scores are also impressive. There is little to doubtHitachi’s strengths in most aspects of the IAM stack, however it does not play in the web SSO and accesscontrol parts of the IAM market.Evidian’s technology scores are impressive as well, and not very far off from Microsoft’s. Evidian has movedup from an ‘Explore’ rating in the 2008 edition of the IAM Decision Matrix to the ‘Consider’ rating, largely onaccount of its technology scores. Evidian brings two key strengths to the table: a strong presence in Europe(particularly in France and Germany) and a strong focus on the healthcare industry, a sector that has distinctand often unmet IAM requirements.Microsoft’s IAM offering can now be considered to be comprehensive, it notches up strong technology scoresthat are close to the lower end of the ‘Shortlist’ category. The vendor’s new Forefront Identity Manageroffering incorporates many well-proven tenets of IAM technology (such as business user-driven attestationsand access-request approvals). The new release, together with the vendor’s renowned ability to build andsustain partnerships, has led to an offering that is very competitive. Across all industries Microsoft is the mostrecognized IAM vendor and is now a strong contender for a diverse range of IAM requirements.The Prospects: Entrust and RSAEntrust and RSA make up what Ovum calls the ‘explore’ category because their IAM offerings, although notas deep or broad as others, have particular strong characteristics or functionality that will be a good fit fororganizations with specific needs or preferences.Entrust, with its IdentityGuard, GetAccess, and TransactionGuard products, provides a good range ofidentity management, risk-based authentication, access control, and real-time fraud detection facilities.Their strength comes from an ability to build and deliver an integrated set of identity-driven protectionsolutions that are relevant to the everyday business and operational needs of a wide-ranging group ofusers. The company makes available a flexible range of single- and multi-factor authentication facilitieswhich allow organizations to put in place appropriate authentication facilities that balance operationaldemands against business risk and regulatory compliance. Entrust enables organizations to build anintegrated identity-based approach to the management and control of user access.RSA is the authentication market leader. It provides enterprise-class identity assurance products that addressrisk and compliance issues that arise in highly regulated sectors such as finance, healthcare, telecoms, andgovernment. The company’s broad range of authentication services addresses all levels of secure access,based on risk. Its range of authentication methods covers appliance, software, hosted (software-as-a-service,SaaS), and on-premise operations. RSA provides an extensive range of IAM-based identity assuranceproducts and services which can be deployed to protect the operational systems and intellectual property ofpublic and private sector organizations. Its products are designed to minimize the risks associated withinappropriate and unauthorized systems and account usage, and its protection services have been extendedto address fraudulent activity, accidental data leakage, and information and event monitoring. CHAPTER 6: TECHNOLOGY COMPARISON 115
  • 6.4 Vendor Analysis CA: Identity and Access Management Radars User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported CA Maximum category score Average across vendors Figure 6.4.1: CA Identity and Access Management Radars Source: Ovum CA is among the largest vendors in the IAM space, and its IAM portfolio is among the most comprehensive. As such, its scores in the Market Impact and Technology dimensions reflect the vendor’s strengths. CA scores well on most Technology attributes and has the highest-possible score, or close to the highest- possible score, on Password Management, Enterprise and Web SSO, User Provisioning, Access Control, and Federated Identity Management. The only Technology dimension in which CA’s score is less than impressive is support for standards and authorities. In the Market Impact dimension, CA is among the top- four vendors. However, for a vendor with an impressive market presence, CA does not score well on Customer Sentiment, achieving less than average in most of our Customer Sentiment dimensions. CA’s IAM portfolio comprises CA Siteminder, Federation Manager, SOA Security Manager, Access Control, Role and Compliance Manager, Identity Manager, and Enterprise Log Manager, and the IAM portfolio is currently in the r12 version. CA’s current IAM positioning focuses on “content-aware identity” with IAM and DLP integration, IAM for virtualized environments, and cloud-delivered services (both IaaS and SaaS) also incorporated into the IAM technology’s scope. GRC is another important aspect of CA’s IAM strategy. CA has made a number of acquisitions in the IAM space in the last two to three years, and the acquisitions reflect the vendor’s focus. In January 2009 the company acquired Orchestria, a DLP provider. In August 2010 it bought Arcot Technologies, a strong authentication and fraud prevention solution provider through both on-premise installations and cloud-based infrastructure. This particular acquisition possibly also signals CA expansion beyond the enterprise market and into the consumer-facing advanced authentication market, a space where RSA is a formidable force.116 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • In mid-2010 CA made a major cloud-related announcement, that scope of its cloud offerings includeprovisioning and access management of Salesforce and Google Apps, enabling cloud providers tosecure their services and infrastructure. DLP and IAM integration are in their early stages, but Ovumbelieves that CA is on the right path and agrees with its strategy of unifying these two hitherto (mostly)disparate IAM streams.Compliance is another focus area for CA. The company’s portfolio includes SIEM solutions integratedwith IAM solutions, and over the years CA has become an important IT GRC player as well. Overall, CAis an acquisitive company and can be expected to be at the frontier of emerging requirements andtrends in the IAM market through both organic growth and acquisitions. The company has also been aleader in all core areas of the IAM spectrum for a long time, and has filled critical gaps with acquisitionswhenever necessary. An example would be the 2008 acquisition of role management vendor Eurekify.In the same year CA acquired IDFocus, a provider of SoD capabilities.CA has significant presence across all major industry sectors, and its distribution across geographiesis reflective of the wider market, with North America its primary source of IAM revenues. Its IAM suitehas a distinct large-enterprise focus, with financial services among its most important sectors.Recommendation: ShortlistCA earns a “shortlist” rating primarily due to its high score in the Technology dimension. On a numberof technology fronts, particularly enterprise and web SSO (through the Siteminder product) CA definesthe best in class in the category. The vendor’s list of systems integrator partners is impressive, and thenature of CA’s IAM portfolio evolution is in alignment with what Ovum believes is the way forward forenterprises that have already made substantial investments in IAM. To summarize, CA is relevant toIAM requirements of all flavors, from core-user provisioning rationalization to an enhanced state ofcompliance, from employee-oriented requirements to large-scale consumer-facing requirements.Entrust: Identity and Access Management Radars Technology radar Impact radar Authentication technology Recognition 10 10 Scalability 8 Enterprise and web single sign-on 8 6 6 Solution breadth 4 User provisioning Regional presence Revenue and depth 4 2 2Solution maturity 0 Password 0 managementAdministration and Access control Size-band presence Revenue growthpolicy managementStandards and authorities Federated identity management Infrastructure supported Vertical presence Entrust Maximum category score Average across vendorsFigure 6.4.2: Entrust Identity andAccess Management Radars Source: OvumEntrust provides three IAM solutions: IdentityGuard, GetAccess, and TransactionGuard. A strongcontender in the authentication and fraud management space, Entrust notches up impressive scoresacross the Authentication and Password Management dimensions, and reasonably good scores acrossthe Access Control and Federated Identity Management dimensions. Entrust is relatively smallcompared with the IAM suite heavyweights, but still large in comparison with the IAM vendors on ourlists that have a primarily regional presence, and Entrust’s Market Impact scores (including theRecognition scores) reflect that relative position. However, the company expects to notch impressivegrowth in the near term. The SME market (under 1,000 employees) represents a larger percentage ofrevenues than average. Financial services and the public sector are the most important sectors by asignificant margin. CHAPTER 6: TECHNOLOGY COMPARISON 117
  • For this Decision Matrix, Entrust was not rated by enough customers for Ovum to aggregate and present statistically significant Customer Sentiment scores. However, Ovum’s ongoing research does indicate (and as has been reported before) that Entrust’s high-quality customer support and partner services are important differentiators for the vendor. Entrust enjoys a renewal rate of 90%, which in Ovum’s opinion is truly impressive in a sector that has seen more than a few projects run over budget and more than a few disillusioned customers. Entrust’s strengths are its strong authentication, adaptive or risk-based authentication, and fraud management capabilities, and its solution has proven scalability in consumer-facing environments. Regulatory controls essential for its target industries (primarily government, financial services, healthcare, and telecommunications) are another of Entrust’s strengths. Entrust plays in three different IAM scenarios: addressing external consumer-facing IAM challenges for banks and the technologies relevant to this market, including its fraud management solution, TransactionGuard; addressing citizen identity management issues for government agencies; and addressing standard employee-centric IAM challenges, primarily for large enterprises. Across each of these three scenarios, strong authentication and adaptive authentication are on the list of Entrust’s key strengths. Entrust is planning for higher-than- average industry growth figures. Its long-term growth prospects are particularly bright, given the increase in e-governance projects and citizen services everywhere, particularly in the Asia-Pacific market. On the strong authentication front, Entrust covers the whole gamut, from grid and machine (authentication of a preregistered machine) to out-of-band authentication and one-time-passwords routed to mobile devices. Out-of-band authentication technology is a priority area for Entrust and an important part of the vendor’s roadmap. In Ovum’s opinion, the range and control over transaction information that can be part of an Entrust-enabled out-of-band authentication event sets the vendor apart. This point also serves as a testament to Entrust’s strength in its chosen niche (as does the vendor’s score in the “Authentication” Technology dimension). Its three products, IdentityGuard, GetAccess, and TransactionGuard, work in conjunction to ensure that access to enterprise resources is controlled by a comprehensive understanding of the user and the mode of authentication is appropriate for the risk level identified. IdentityGuard is the risk-based authentication platform, and an important part of Entrust’s positioning (natural, given the vendor’s target market) is the IdentityGuard solution’s ability to scale. GetAccess is the web access control and web SSO solution. TransactionGuard is the realtime fraud detection solution (and naturally a lot more relevant in the financial services scenario) and comprises Real Time Fraud Detection, FraudMart, and the Open Fraud Intelligence Network. For standard employee-oriented IAM challenges, Entrust conforms to all the prevailing notions of IAM technology, including role-based access control, support for federation standards, workflows, and self- service. And, of course, for the non-financial services and non-public sector entities, the case for Entrust becomes particularly strong when there is a consumer-facing scenario. Entrust’s positioning is focused on its adaptive authentication strengths with the implications of its technology regarding cost-effectiveness. The overall positioning theme is in line with the standard current IAM themes, quick ROI from enhanced self-service, and the resultant reduction in helpdesk costs. Entrust was acquired by the private equity firm Thoma Bravo in July 2009. In the last two years Thoma Bravo has acquired security and IT infrastructure management provider LANDesk and IT security solutions provider SonicWall. However, Thoma Bravo’s portfolio of investments in the enterprise IT sector encompasses vendors from very different areas. The private equity firm counts a supply chain management application provider (Manugistics) and a customer relationship management application provider (Consona Corporation) among its software investments. Therefore, it seems unlikely that the acquisition will affect Entrust’s customers in the foreseeable future. Recommendation: Explore A moderate Technology score earns Entrust an “Explore” rating. Entrust is a strong contender in a number of large, growing, and tough IAM niches. Its less-than-average score across important pieces of the IAM portfolio (including E-SSO, Web SSO, User Provisioning, Access Control, and Federated Identity Management) has led us to assign this rating. However, IAM scenarios that involve customer- facing applications and require strong authentication certainly call for a closer evaluation of Entrust’s offerings.118 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Evidian: Identity and Access Management Radars User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported Evidian Maximum category score Average across vendorsFigure 6.4.3: Evidian Identity andAccess Management Radars Source: OvumAlthough Evidian has a nearly full suite of IAM products, the vendor’s influence remains largelyrestricted to its geographic niche, Europe. With an aggregate Technology score that is close to Microsoftand right after the “Big Four” IAM suite providers, there can be little doubt that Evidian’s suite iscomprehensive. Evidian scores higher than average in a number of Technology dimensions, includingEnterprise and Web SSO, User Provisioning, Access Control, and support for standards and authorities.The suite is found wanting across the Federated Identity Management and Infrastructure Supporteddimensions, particularly the latter. Evidian is a relatively small vendor, and client organizations outsideits geographic niche are much less likely to recognize it as a provider of IAM solutions. The vendorexpects higher-than-industry average growth, but its size limits its Market Impact score. In the CustomerSentiment dimension, Evidian scores higher than average across the Client Engagement, VerticalSpecialization, and Customer Support dimensions. However, given its considerable focus on thehealthcare sector – healthcare is as important as financial services and rare among the vendors profiledin this report – Ovum would have expected the vendor to register a higher score on customer’sperception of its “Vertical Specialization.” The EMEA region accounts for the bulk of Evidian’s businesswith the North American market registering a marginally higher contribution than the Asia-Pacific region.This is an unusual geographic distribution for a leading IAM vendor. Another fact that points towardsEvidian’s status as a leading European IAM technology provider is the vendor’s partnership withMicrosoft, primarily in the European region (and for Evidian’s E-SSO product). Evidian partners withQuest in North America and NEC in Asia-Pacific (most notably Japan).Getting back to its industry focus, the public sector and telecommunications are important focus areasin addition to financial services and healthcare. The company is working on industry-specific flavors ofits solutions and reports working on the “Evidian IAM Suite for healthcare,” which will include workflowsand provisioning connectors for typical healthcare environments. CHAPTER 6: TECHNOLOGY COMPARISON 119
  • With regard to market segments, most IAM suite vendors have a nearly complete medium-sized to large company focus, and the sub-1,000-employee market (and even the sub-5,000 market) typically accounts for a small percentage of revenues. The sub-5,000 market finds much greater representation in the Evidian installed base compared with the other vendors profiled in this report. Although this could be an unintended fallout of the vendor’s choice of sector – healthcare institutions in Europe tend to be smaller than typical client organizations in other IAM technology-intensive sectors – Evidian’s portfolio includes the “Ready-To-Go-SSO” edition (aimed at companies with 500–5,000 users), and the vendor reports working on additional SME-focused packages. The Evidian IAM Suite (Version 8) is a well-proven, mature product that supports all core areas of IAM, including identity, access, and role management. The solution conforms to the modern tenets of IAM management, such as strong authentication, role-based access management, audit-oriented entitlements status reporting, and support for identity federation standards. Evidian’s positioning focuses on the IAM basics, an integrated, organically developed product that is relatively easy to implement. To summarize, Evidian is a perfectly competent IAM technology provider with strong geographic and sector niches, but also a vendor that could significantly improve its presence across geographies. Recommendation: Consider Evidian has advanced on Ovum’s ranking from the “Explore” category in 2008’s Decision Matrix to the “Consider” category. The vendor’s good scores in the Technology dimension (marginally lower than Microsoft’s) and above-average Customer Sentiment score have led to its “Consider” rating. A strong contender in Europe, Evidian merits closer evaluation by client organizations from that region. Also, healthcare firms across regions would do well to take a closer look at Evidian’s offering, and the vendor’s tailored offering for this sector is arguably more compelling than the Technology scores (which are designed to be equally relevant to all sectors) seem to suggest. Overall, Evidian is a strong contender that has carved a few very well-defined niches. Hitachi-ID: Identity and Access Management Radars User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported Hitachi Maximum category score Average across vendors Figure 6.4.4: Hitachi-ID Identity and Access Management Radars Source: Ovum120 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • This is the first time Hitachi-ID has been included in the Ovum Identity and Access ManagementDecision Matrix, and the vendor has scored well on multiple fronts. The vendor in its present form beganlife in 2008 with Hitachi’s acquisition of M-Tech, and operates as a subsidiary of the Asia-Pacific giant.The Hitachi-ID portfolio is strong on many IAM Technology dimensions, including User Provisioning andPassword Management. The vendor does not focus on the web access management and web andenterprise SSO markets. Hitachi-ID Customer Sentiment scores are exceptional, and it outscores morethan eight of the other vendors profiled in this Decision Matrix on six of the eight Customer Sentimentdimensions. The fact that Hitachi-ID’s IAM portfolio is one of the few (nearly) full-suite products thathave been built entirely organically could have a role to play in the exceptional Customer Sentimentscores. Hitachi-ID is small compared with the IAM behemoths and derives less than 10% of its revenuesfrom the Asia-Pacific market. It therefore seems unlikely that the vendor is leveraging the scale of theparent company in the fullest possible way. Hitachi-ID’s strengths are undeniable, and Ovum believesthat the company could significantly expand its installed base.One interesting aspect of Hitachi-ID’s IAM suite is password synchronization for SSO as opposed to thetraditional method of system user authenticating, which manages credentials for all other systems.Though not without its trade-offs, the password synchronization approach certainly has the potential toreduce SSO complexities. The simplicity that password synchronization affords is part of a broaderHitachi-ID theme, namely relatively low-cost IAM implementation. Low-cost implementation is Hitachi-ID’s stated goal, and the company relies partly on a good range of preconfigured options forimplementation (such as preconfigured “most likely” workflows) and an impressive range of connectorsto target applications to realize its goal. Hitachi-ID is among the four top performers in the “InfrastructureSupported” Technology dimension, which is highly unusual for an IAM vendor of its size. Only Novell,CA, and IBM score higher than Hitachi-ID in this dimension, and none of the vendors of comparablesize score close to Hitachi. The IAM vendor’s role management capability set is comprehensive, andsupport for cloud-delivered applications includes the now-mandatory set of SaaS applications, GoogleApps and Salesforce. Cloud and DLP are not a part of Hitachi’s branding and the vendor’s coremessage remains simplicity and low TCO. For most its life, M-Tech Systems was relatively isolated andfocused on a customer demographic that did not have significant in-house IT talent and/or deepsystems integrator relationships, and this legacy is manifested in Hitachi-ID’s offerings.Ovum believes that Hitachi-ID will continue to be valuable in deployment sites that are expanding thescope of IAM from web access management and web SSO to a well-structured system for provisioningand de-provisioning and password management. Hitachi’s offerings in the relatively smaller parts ofIAM, such as privileged user management, are impressive as well.Recommendation: ConsiderAn impressive Customer Sentiment score and a Technology score that is just lower than the numbersscored by the largest IAM vendors earns Hitachi a “Consider” rating. Hitachi’s Technology score ismarginally lower than Microsoft’s, which is impressive considering the Redmond-based giant’s range ofpartnerships. The new entrant in the Decision Matrix has impressed on all fronts, and its positioning onthe Technology front is clear. Hitachi does not operate in the web SSO and Access Control markets,preferring to rely on partnerships. Apart from these sub-markets the vendor has a full suite, and Ovumbelieves the way forward for Hitachi is geographic expansion.IBM: Identity and Access Management RadarsIBM is among the largest vendors in the IAM space, and its Market Impact scores reflect its status asan identity and access behemoth. Scoring well across all three major dimensions, IBM registers thehighest Technology score, beating CA, Novell, and Oracle. IBM scores the highest or close to thehighest in our group of nine IAM vendors across most Technology dimensions, including Enterprise andWeb SSO, User Provisioning, Password Management, Access Control, Federated IdentityManagement, and Infrastructure Supported. In terms of its market impact, IBM is predictably recognizedwidely – IBM has one of the highest scores in the Recognition dimension – as an IAM suite providerand has above-market-average growth plans. This is particularly impressive given the size of its IAMbusiness. In this research exercise the Customer Sentiment scores of the largest IAM vendors havemostly been unimpressive, but IBM manages to beat this trend. Its Customer Sentiment scores areabove average in five of the eight Customer Sentiment dimensions. CHAPTER 6: TECHNOLOGY COMPARISON 121
  • User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported IBM Maximum category score Average across vendors Figure 6.4.5: IBM Identity and Access Management Radars Source: Ovum IBM’s IAM suite comprises Tivoli Identity and Access Manager, Tivoli Identity and Access Assurance, Tivoli Access Manager for Enterprise Single Sign-on, Tivoli Identity Manager, Tivoli Access Manager for e-business, Tivoli Access Manager for Operating Systems, Tivoli Federated Identity Manager, Tivoli Federated Identity Manager Business Gateway, Tivoli Unified Single Sign on, and Tivoli Directory Server. As this long list suggests, the portfolio is comprehensive. IBM’s score extends beyond the list cited here into all adjacent areas to IAM, such as DLP, GRC, and SIEM. The depth of IBM’s enterprise relationships allows security and service management concepts to be brought into IAM projects more than for other vendors with extensive IT infrastructure management portfolios. (Naturally, the overlap is lot is much more relevant to the professional services aspect of implementation projects than Technology integration.) This implies that IBM has few peers when an enterprise faces truly transformational problems. On the same note, the compliance problem is not just tackled by technology – incidentally, IBM recently acquired GRC vendor OpenPages – or by IBM’s formidable professional services team, but also by partnerships, such as the crucial one with Deloitte. Content and the quality of professional services are important aspects of GRC, and IBM is certainly strong in these areas. Although GRC is not part of this report’s scope, this adds to Ovum’s stance that IBM’s strength in the core IAM and adjacent areas make it a truly formidable force when an enterprise is faced with a multidimensional IAM challenge of significant scale. The counter argument to IBM’s scale differentiator is the small vendor argument that their products have strong integration capabilities with configurations that are mapped well to market requirements. However, there are areas within IAM, such as user provisioning, where the requirements span far beyond IAM technology elements, which means a large global enterprise has few real alternatives other than a vendor whose expertise runs the gamut from industry-specific regulations to building connectors to sector-specific applications. This is not to say that IBM does not have IAM solutions for smaller organizations, but that IBM’s true differentiator is its ability to handle large-scale problems through the size and scale of its professional services division and by orchestrating the strengths of its partners.122 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Recommendation: ShortlistThe highest Technology rating among the top-nine vendors in the IAM market and an above-averageCustomer Sentiment score earns IBM a “shortlist” rating. Across all three dimensions, including the sizeof the vendor’s IAM business and the high recognition its IAM business receives, it is clear that IBM isat the top in the IAM market. Transformational IAM problems require a vendor with IBM’s diverse skillsets and scale, and its position among the top IAM vendors reflects this.Microsoft: Identity and Access Management Radars User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported Microsoft Maximum category score Average across vendorsFigure 6.4.6: Microsoft Identity andAccess Management Radars Source: OvumAs would be expected of Microsoft in any enterprise IT market, the vendor’s products and role in thesector are widely recognized and understood. Predictably, our research indicates that Microsoft’s IAMmarket impact is impressive. In addition, Microsoft scores well on the Technology front, registeringimpressive scores across the Enterprise and Web SSO, User Provisioning, Password Management,Access Control, and Federated Identity Management dimensions. Even in the Customer Sentimentdimension, Microsoft scores higher than average on Product Quality, Portfolio Depth, Service Levels,and Client Engagement. Although certainly among the leading IAM vendors, Microsoft scores amongthe lowest on the Infrastructure Supported dimension, limiting its applicability in non-Microsoftenvironments.Forefront Identity Manager 2010, the Windows Server 2008 R2 Active Directory, Active DirectoryFederation Services 2.0, and Windows Identity Foundation are the key components of the MicrosoftIAM suite. Forefront Identity Manager (FIM) replaces Identity Lifecycle Manager 2007 and is aimed atpromoting self-service, integration with familiar Microsoft tools, and enhancing ease of use, which inturn promotes business-user participation. FIM is the seat of policy management, certificatemanagement, and user management, and AD Federation Services enables authentication acrossdomains. CHAPTER 6: TECHNOLOGY COMPARISON 123
  • Microsoft partners with major web access management, user provisioning, and E-SSO providers such as Hitachi-ID, Evidian, and Courion. Microsoft’s current IAM positioning is focused on its new and improved FIM. Related solutions and areas such as cloud, SIEM, IT GRC, and DLP integration do not seem to be a focus area (although the Redmond giant does have the capabilities for each in some form, through partnerships, or both). FIM’s capabilities ease compliance and reduce helpdesk and IT administration costs, and Microsoft is firmly in line with the prevailing industry notions of the evolution of the IAM function. There is little to doubt Microsoft’s status as a full-blown IAM vendor, with a Technology aggregate score that comes right after the IAM heavyweights, CA, IBM, Novell, and Oracle. On a related note, Microsoft’s Customer Sentiment scores indicate that the need for tailored IAM solutions by industry is very real. There are considerable differences in how the vendors have scored in the “Vertical Specialization” Customer Sentiment dimension. Ovum believes the one industry that requires a distinct sector focus is the healthcare sector, on account of the many sector-specific applications and sometimes-unique user habits, and insight from vendors indicates varying degrees of focus on the sector. In early 2010, Microsoft bought Sentillion, a provider of applications for the healthcare sector. Sentillion’s portfolio includes SSO solutions, and Microsoft announced that the company would consider how Sentillion’s IAM capabilities might work in conjunction with FIM 2010. By most accounts Microsoft is a low-cost provider of IAM technology and has a formidable partner network. A good percentage of small and medium sized enterprises (SMEs) are likely to turn to Microsoft first as their IAM technology stack provider. Therefore, it is good news that Microsoft has incorporated the well-proven concepts of business-driven group requests, approval workflows, identity synchronization, and self-service into its latest release. Finally, it is important to mention in this context that the Microsoft installed base does not lack large-enterprise deployment cases. Recommendation: Consider Partly through its well-known partnership development capabilities, Microsoft has assembled an IAM offering that marginally trails the “Big Four” vendors. Its Technology score, alongside a well-above-average Customer Sentiment ranking, ensures that Microsoft is placed in the “Consider” category. Predictably, Microsoft falls below average on the “Infrastructure Supported” category, registering a series of Ns on Ovum’s list of key platforms. Microsoft’s rating is unchanged from the previous edition of the Decision Matrix, and there is little to doubt its role as a full IAM stack provider, particularly for Microsoft shops. Novell: Identity and Access Management Radars Novell’s IAM suite (Identity Manager r4) is part of the company’s Identity and Security Management (ISM) unit, and the vendor provides a comprehensive suite of IAM solutions. Novell scores close to highest in the Technology dimension of the Decision Matrix framework, and is ranked high across most Technology categories. The Linux major almost achieves the highest scores in the Authentication dimension, and equal to or close to the best scores possible (according to our evaluation parameters) against User Provisioning, Password Management, Access Control, and Federated Identity Management. There are a number of noteworthy aspects to Novell’s IAM positioning, such as its e-Directory and bundling of Novell Identity Manager, Access Manager, and SecureLogin with Sentinel, the leading SIEM product. The third important aspect of Novell’s IAM suite is its support for a wide range of platforms, an approach that is manifested in Novell’s score on the “Infrastructure Supported” Technology dimension, which is close to the highest. Another important differentiator is the home-grown nature of Novell’s IAM suite. How well the different pieces of IAM integrate together remains a critical success factor in this market, and Novell certainly scores well on this front. However, Novell has not shied away from acquisitions when required. Most notably, it acquired Fortify in 2009 for the latter’s privileged password management technology. However, Novell has so far been unable to convert its exceptional technical strengths into industry- leader status in terms of market impact. The vendor scores well below its other IAM suite heavyweights, such as IBM, Oracle, and CA, in the Market Impact dimension, and growth in recent years has been uneven. Its Customer Sentiment scores are also average for a vendor with significant technical depth.124 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported Novell Maximum category score Average across vendorsFigure 6.4.7: Novell Identity andAccess Management Radars Source: OvumInterestingly, the customer perception of Novell’s portfolio depth is not as high as the vendor’sTechnology scores seem to suggest, possibly indicating that there is scope for better marketing of itsstatus as an IAM heavyweight. A related point here is that Novell lacks the major systems integratorpartnerships that every major IAM stack provider has had for some time. While Novell’s majorcompetitors all have partnerships spanning the global majors (such as Deloitte), Novell’s roadmap doesnot seem to indicate a focus on expanding the scope of its partnerships.Novell’s current market positioning focuses on compliance (which has always been a major area offocus), on managing identity and access in virtualized environments, and on incorporating cloud-delivered services into its IAM scope. On the cloud front, Novell’s scope includes provisioning and SSOfor cloud-delivered applications, controlling mixed environments in which workloads are moved acrossdata centers to cloud infrastructure, and offering hosted and MSP-provided identity services that couldbe particularly appealing to the SME market. On the compliance front, the focus is on providing audit-level reporting, user activity monitoring and correlation, and SoD violation monitoring. The SAP Novellpartnership with regards to GRC, which involves integration (and more) of SAP’s GRC products withNovell’s ISM solutions, is noteworthy in this context.As would be expected of a vendor of Novell’s nature, the IAM portfolio is relevant to all geographies,industry sectors, and enterprises of varying sizes. The traditional heavy users of IAM, namely financialservices, the public sector, healthcare, and telecommunications, predictably form an important part ofNovell’s installed base. However, it is important to mention that Novell has significant presence in theutilities and manufacturing sectors. CHAPTER 6: TECHNOLOGY COMPARISON 125
  • Recommendation: Shortlist Novell’s close-to-highest score in the Technology dimension and moderate Customer Sentiment score have placed the vendor in the “Shortlist” category. The Market Impact scores are lower than would be expected of an IAM vendor of Novell’s stature. However, there is little to doubt the comprehensive nature of Novell’s offering and its relevance to diverse IAM requirements. The research exercise for this report is based exclusively on vendors’ performance in the IAM category, and Ovum advises enterprises to incorporate their understanding of the vendor’s overall business into any selection decisions. Oracle: Identity and Access Management Radars User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported Oracle Maximum category score Average across vendors Figure 6.4.8: Oracle Identity and Access Management Radars Source: Ovum Always a very prominent IAM vendor, Oracle has become even more of a behemoth following its Sun Microsystems acquisition. The vendor scores well in all Ovum’s evaluation dimensions, particularly in the Technology dimension and Market Impact, in which it achieves the highest overall score. Oracle scores well in all the Technology dimensions, registering maximum possible scores or close to maximum possible scores in User Provisioning, Enterprise and Web SSO, Password Management, Federated Identity Management, and Infrastructure Supported. With over 5,000 IAM customers, Oracle has presence across all major sectors, with the traditional IAM intensive sectors, financial services, healthcare, and the public sector leading. Its geographic mix of revenues is in line with the wider market, with North America leading. Of course, no discussion on Oracle is possible without touching on the problem of technology integration post Sun Microsystems acquisition, and the related announcements (and the July 2010 Oracle Identity 11g release) do not compel existing Sun and Oracle customers to make significant decisions soon (or at least over the next two years). Its plans involve rebranding of products and prioritization in the case of overlapping capabilities (in accordance with Oracle’s “continue and converge” policy), but existing commitments will be honored for product lines that will no longer be part of Oracle’s strategic IAM roadmap.126 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Oracle’s competitors, CA and Novell, had launched “license exchange” programs to take advantage ofthe post-acquisition situation, but Ovum has seen little evidence that the state of the market haschanged in any significant way as a result of these competitors’ initiatives. Oracle’s Customer Sentimentscores have not changed significantly since the last time Ovum surveyed its enterprise clients,indicating that the Sun acquisition has not led to much change in perception about Oracle’s productsand the vendor’s service delivery capabilities. The level of overlap across its many technology areas issignificant, but in keeping with Oracle’s broader post-acquisition technology integration policy, somereasonably specific guidelines on the roadmap were released in January 2010. Parts of SunMicrosystems’ IAM portfolio have been added to the Oracle IAM portfolio, renamed and repositioned,and will now be part of the common strategic roadmap. Sun’s Role Manager stays and will form thefoundation for Oracle Identity Analytics. Sun Directory Server Enterprise Edition, Oracle InternetDirectory, and Oracle Virtual Directory will now collectively form a new product called Oracle DirectoryServices Plus. Sun’s Open SSO Fedlet (renamed Oracle Open SSO Fedlet) and Secure Token Service(now Oracle OpenSTS) are now part of the strategic roadmap. Sun’s Identity Manager is now knownas Oracle Waveset, and Oracle will continue developing Oracle Identity Manager to make the solutionfamiliar to Waveset users. Oracle is offering existing Sun IAM customers equivalent Oracle products forfree and plans to release migration tools in 2011.Although the scale and level of overlap is unique, acquisitions are not a new concept for the Oracle IAMteam. Oracle’s IAM portfolio has been built partly through a series of acquisitions. In 2007, Oracleacquired Bridgestream, a role management vendor, and Bharosa, a provider of online fraudmanagement and strong authentication. Although Oracle’s overall direction partly reflects the goals ofIAM suite vendors (such as superior role management and IAM integration with GRC), the focus of theJuly 2010 11g release is on integrating the product stack, and the vendor’s approach has been branded“Service Oriented Security.” Service Oriented Security is aimed at providing developers with a set ofreusable IAM services, such as authentication, authorization, administration, and auditing, which canbe leveraged as part of any application development effort. The approach is not new, and Oracle hasbeen talking about this since at least 2008.In the long term, migration for some of Oracle’s and the erstwhile Sun Microsystems’ customers wouldnot exactly be painless. However, the portfolio collectively offers the right pieces for a diverse set ofrequirements, the lessons learned from many post-merger technology acquisitions are being used tolessen the pain as much as possible, and nobody is being forced to rip and replace anything in the shortterm. To summarize, Oracle provides a comprehensive set of IAM capabilities, and its focus is onenabling consumers of IAM technology to use elements of the considerable Oracle IAM stack flexibly.Recommendation: ShortlistArguably the most acquisitive enterprise software company in the world, Oracle has brought togethertwo IAM portfolios that were both strong contenders in their own right. A high Technology score and aCustomer Sentiment score that is competitive among vendors of a similar scale earn the new IAM entitya “shortlist” rating. Oracle has done a good job of managing customer concerns after what was arguablythe largest IAM acquisition in the market to date. Overall, this is certainly a comprehensive IAM stackand a vendor that merits closer evaluation in most identity and access technology selection scenarios.RSA Security: Identity and Access Management RadarsRSA, the security division of EMC, is the authentication market leader and partners with Courion forprovisioning and role management. The RSA IAM suite comprises RSA Access Manager, RSA IdentityProtection and Verification, RSA Federated Identity Manager, RSA SecurID, and RSA AdaptiveAuthentication. Strong authentication, adaptive authentication, access control, federated identitymanagement, and DLP and SIEM are RSA’s primary focus areas. RSA’s overall Technology score,given its specialization strategy, is predictably low compared with the heavyweights and even muchsmaller vendors such as Hitachi-ID and Evidian. As would be expected of RSA, the vendor’sAuthentication score is the highest. However, the vendor scores well in the Market Impact dimensionand is as well recognized as an IAM provider as the largest full-suite vendors. In the CustomerSentiment dimension, RSA performs reasonably well, beating the average in all dimensions, except,predictably, Portfolio Depth, and less predictably, Client Engagement. CHAPTER 6: TECHNOLOGY COMPARISON 127
  • User sentiment radar Impact radar Product quality Recognition 10 10 8 8 Client Customer engagement 6 support 6 Regional presence Revenue 4 4 2 2 Financial 0 Service 0 stability capabilities Size-band presence Revenue growth Service Vertical levels specialization Vertical presence Portfolio depth Technology radar Authentication technology 10 Scalability 8 Enterprise and web single sign-on 6 Solution breadth and depth User provisioning 4 2 Solution maturity 0 Password management Administration and policy management Access control Standards and authorities Federated identity management Infrastructure supported RSA Maximum category score Average across vendors Figure 6.4.9: RSA Identity and Access Management Radars Source: Ovum Getting back to the Market Impact dimension, RSA’s primary sectors are financial services, government, healthcare, and telecoms. The geographic spread of RSA’s business aligns well with the market average, with North America leading and the Asia-Pacific market accounting for lower revenues than the EMEA region.128 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • RSA Security typically plays the role of the best-of-breed provider in deals that involve the IAM suiteproviders, and the large-enterprise segment is its focus area. On the strong authorization front, RSAdelivers strong authentication through both hardware and software tokens and also provides digitalcertificates and knowledge-based authentication services. RSA’s adaptive authentication servicesprovide risk-based authentication services to consumers of web-delivered applications in a way that ispolicy-based, and the level of authentication enforced is based on the risk profile of the requestor. Thepromise of strong authentication has been moderated by the realization that strong authentication doesnot scale well and a risk-based approach is necessary.To that end, RSA provides different levels of authentication, such as “what you know”-based (user-selected images), invisible or automatic (device identification-based), one-time-password-based (whichcould be based on both hardware and software tokens), and out-of-band. The last approach, out-of-band authentication, is relatively new and has significant growth potential for high-risk transactions,given the rise of “man-in-the-middle” attacks. To summarize, RSA has few peers when a cost-effectiveand strong access control system is necessary, particularly when transactions and a stringentregulatory environment are involved. The same capabilities and strategic objectives make RSA a strongcontender when a large mobile workforce or large partner community are involved. With regard to thelatter, Ovum notes that RSA scores close to the maximum in the Federated Identity Managementdimension.Across the areas adjacent to IAM, SIEM, DLP, and GRC, RSA is strong and active. However, it is notclear to what extent these solutions currently work in conjunction with the IAM suite. IAM coupled withSIEM and DLP is certainly part of how IAM is likely to shape up in the medium term, and RSA is wellplaced to benefit from the need to formulate a risk, compliance, and content-focused approach to IAMmanagement. In January 2010, parent company EMC acquired Archer Technologies, a leading providerof GRC solutions. RSA’s self-reported goals driving the acquisition included GRC working in conjunctionwith RSA’s DLP and SIEM solutions.Recommendation: ExploreThe strong authentication specialist would hardly claim to be an IAM stack vendor, and has stable andmature partnerships to fill the areas in the market that RSA does not operate in. Naturally, its aggregateTechnology scores reflect that focus. However, the RSA scores this year are lower than what ordinarilywould be expected of RSA on account of the vendor quitting the E-SSO business in 2009. These lower-than-expected Technology scores and a Customer Sentiment score that is marginally lower thanaverage have led Ovum to place RSA Security in the Explore category. CHAPTER 6: TECHNOLOGY COMPARISON 129
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 7: Technology Audits WWW.OVUM.COM
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CA: CA Identity and Access Management Suite WWW.OVUM.COM
  • TECHNOLOGY AUDITCACA Identity and Access Management SuiteCATALYSTThe CA Identity and Access Management Suite is a comprehensive set of products that, eithercollectively or individually, can be used to effectively meet the identity management requirements of itscustomers. The identity management and access control requirements of each organization are drivenby a number of business and security factors, including compliance, audit, data protection, and riskawareness. Within its content-aware identity and access management (IAM) product portfolio, CATechnologies has the range and depth of technology to address the specific identity managementrequirements of most organizations. CA IAM has three focus areas: managing identity, controlling user access, and maintaining control over the use of information. All of these issues are relevant to the vast majority of business organizations. This extended IAM solution will be of interest to any organization that recognizes the need to address compliance issues by combining its identity management and information protection strategies. Platform coverage is broad, making the solution suitable for distributed and mainframe operations, as well as for virtual, on-premise, and cloud environments.KEY FINDINGS Strengths: Centralized IAM that includes user provisioning and integrated workflow. Provides a comprehensive range of user activity and compliance reporting facilities. Controls the actions of privileged users for improved security. Web access management and web single sign-on (SSO) provide secure, user- friendly web access. Integration of data loss prevention (DLP) content knowledge provides improved control over information resources. Weaknesses: Industry concerns over cloud security may hold back future progress in this area. Key Facts: i CA Technologies is aligning the use of DLP services with its IAM offering. i Security information and event reporting add enhanced audit and compliance services.OVUM VIEWCA Technologies has been actively involved in the management of identity and the delivery of user andbusiness protection services that control enterprise access for more than a decade. During this period,the company has developed, acquired and integrated an extensive range of identity-driven securityproducts, which now shape its ‘content-aware’ approach to IAM. CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE 135
  • The CA IAM Suite consists of an integrated set of products and services. Universal workflow, provisioning and role modeling, access management, federation, compliance, reporting, and other core IAM services can be leveraged across the CA IAM Suite, making CA Technologies one of only a small number of vendors that have an end-to-end, full-lifecycle IAM capability. Importantly, CA Technologies’ content-aware approach to IAM adheres strongly to industry standards. This helps to position the company as a software vendor that can fully support business and operational requirements in order to simplify infrastructure security processes, while continuing to work with products that retain a common look and feel across the business. CA Technologies supports a wide range of common hardware and application platforms, directories, and databases, and has the ability to work with mixed environments that include traditional, virtual, and cloud-based models. Also, because of its range of information protection products, CA Technologies has extended its identity management focus to include data usage and management services, including DLP. Recommendations The target market for CA Technologies’ content-aware IAM Suite is predominantly large enterprise customers. These are typically organizations with over 5,000 employees or businesses with annual revenues that exceed $500m. Smaller organizations working in highly regulated industries can also gain value from deploying the product set, but need to consider the cost and operational justifications carefully. Universally, the strongest markets for IAM are those sectors that are highly regulated such as financial services, government, and healthcare. CA Technologies’ customer base is consistent with this, although, because of the maturity of its product set, it has a presence in most vertical markets. CA Technologies is well positioned to support new and emerging markets, particularly where growth is supported by the use of virtual systems and cloud-based services. Its access control product helps to not only secure virtual systems, but also the hypervisor itself, and its log management facilities provide consistent activity and compliance reporting across all environments. SOLUTION OVERVIEW CA Technologies’ IAM approach is comprehensive, due to its range of available products, and wide- ranging, as it can provide numerous levels of business and user protection. The fact that it is wide-ranging is predominantly a strength, as whatever range of user and business protection services an organization requires, CA Technologies is likely to have a product to address it. In addition, the breadth of the solution, and the fact that it is highly integrated, can often simplify management of the components through common interfaces, among others. However, with any IAM solution (whether from a single vendor or multiple vendors), a phased approach is highly recommended. Each organization needs to be aware that the foundations of IAM ought to be fully addressed before taking on extended elements such as identity federation and external user management, yet these elements continue to be seen as market drivers. CA Technologies’ content-aware IAM suite consists of an integrated set of products that automate the management of users and their identity-based access to information, throughout the lifecycle of their relationship with an organization and its systems. To put this into context, CA Technologies’ IAM Suite provides a range of core IAM services that manage identity, control user access, and control use of information resources. They are administered through a centralized workflow-based identity lifecycle management approach that includes the creation, modification, deletion, and audit level reporting of user-access rights. Core IAM facilities include: Entitlement-based role management, which delivers full-featured automated role discovery, real-time role management, entitlement management, and audit and analysis reporting. Web and enterprise access management, which protects against the improper use of key applications through its ability to restrict and control web and enterprise application access. Web and enterprise SSO, which provides secure single-source access to web and enterprise facilities. Federated identity management (FIM), which allows identities and their associated access rights to be shared across business operations and with third-party business partners. Privileged-user controls are addressed on two levels: privileged-user password management provides one-time administrator passwords and separation-of-duty controls; and privileged-user management delivers granular controls for operating system resources.136 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Unix Authentication Broker enables Unix and Linux servers to authenticate users through their Active Directory (AD) credentials. Service-oriented architecture (SOA) security, including web services security controls. Software development kit (SDK) facilities, which allow IAM facilities to be embedded in homegrown applications. Software-based strong authentication, including risk-based authentication for fraud prevention.An extended range of user and data protection facilities to address business and operational securityrequirements is also available. This includes: A suite of DLP products that can be used to discover, classify, and control the use of sensitive information. Log management, analysis, and reporting facilities that help organizations to understand and manage user access to information resources and, as a result, help to address compliance and audit requirements.The products that CA Technologies uses to deliver its range of IAM protection services are all wellestablished within the identity management industry, and include: CA Identity Manager (version 12.5). CA SiteMinder (version 12.0). CA Access Manager (version 12.5). CA Role & Compliance Manager (version 12.5). CA Federation Manager (version 12.1). CA SOA Security Manager (version 12.1). CA DLP (version 12.5). CA Enterprise Log Manager (version 12.1).The architecture diagram in Figure 1 identifies where each of these products fits within CATechnologies’ IAM infrastructure and how they interact as a complete IAM suite. It also shows how coreIAM services such as provisioning, access entitlements and audit reporting are delivered. Role & Compliance Manager Identity Manager Role ID Management Governance Provisioning ID Admin Entitlements Provision Audit Summary (Access) (Identities, Access) SiteMinder Access Control DLP Web Access Federation SOA Privileged Host Access Data loss Mgt w/SSO User Mgt Management prevention Audit Enterprise Log Manager User Activity and Compliance ReportingFigure 1: The CA Identity andAccess Management Solution Source: CA Technologies CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE 137
  • SOLUTION ANALYSIS Authentication Organizations need to maintain strong, efficient and, at the same time, appropriate user-authentication systems: strong, to address compliance and systems protection issues; efficient, to ensure that users are able to fulfill their roles; and appropriate, to allow user access that does not inhibit productivity. CA Technologies promotes user efficiency through its centrally managed authentication, authorization, and SSO facilities, and its automated user provisioning services. Its proposition also extends to the use of federation across collaborative business relationships. CA SiteMinder manages the authentication of users, and controls which users are authorized to access which applications. It retains the accountability for determining the conditions and controls under which normal access and extended user privileges can be provided. At the same time, it retains responsibility for simplifying access for user groups, relieving the systems administrator’s security burden, and utilizing its monitoring, policy enforcement and reporting services to address necessary regulatory compliance issues. SiteMinder supports a wide range of authentication techniques, which is an issue of growing importance to most business organizations as the number and range of information-access demands continues to grow. The CA IAM suite also includes the WebFort and RiskFort products, which were part of the recent acquisition of Arcot. Arcot WebFort is a software-only multi-factor authentication solution that is integrated with CA SiteMinder to transparently protect and verify web users’ identities. It protects users from identity theft and fraud without changing their familiar sign-on experience and without the need for hardware tokens. Arcot RiskFort is a fraud detection and risk-based security system that prevents fraud in both consumer and enterprise online services. It also provides organizations with the ability to determine and enforce different levels of authentication based on the acceptable amount of risk for each transaction. When combined with CA SiteMinder, this set of products provides high flexibility and increased security for user authentication services. Provisioning, role management, and certification Provisioning, role management and certification are important elements of IAM. In the past, poor management and maintenance have caused organizations to lose control over users, entitlements, and roles. CA Technologies’ lifecycle approach begins with the initial creation of user identities. It then takes into account the allocation of accounts and access entitlements that users require, includes the ongoing modification and validation of the need for these entitlements as the user and their roles change, and continues until the removal of provisioned rights on termination. This approach makes use of role management and role mining capabilities within CA Role & Compliance Manager to streamline the management of users. It also provides compliance processes and controls, such as automated entitlements certification or segregation of duties policies, to ensure that the relevant mandates are addressed. CA Identity Manager provides identity administration, provisioning, and auditing for managing user identities. For web users, the product provides provisioning and management of all usage rights and business roles. From a cost and efficiency standpoint, many of the ongoing provisioning services offered can be set up to be delivered using self-service and delegated administration facilities. CA Role & Compliance Manager adds to the product set’s range of identity management services by streamlining the process of defining, managing, and governing roles and entitlements on an ongoing basis. In addition, CA Enterprise Log Manager provides audit-level user activity monitoring and compliance reporting to complete the provisioning and role management picture. Password management Password management covers user authentication approaches, from those that are supported by the use of simple static passwords, through to well structured, constantly changing password management infrastructures that operate alongside core IAM components, including SSO, provisioning, role management, and associated helpdesk services.138 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • At the high end of the password management arena, there is a particular need to provide controls that arecapable of dealing with privileged-user access. Privileged-user management and privileged-user passwordmanagement facilities are needed to ensure that key operating system resources and administrator accessrights are properly controlled. These are important security areas that many organizations have failed tocontrol, leading to operational system vulnerabilities and lax administrator controls.CA Technologies provides privileged-user protection facilities that address both systems and administratorcontrol issues. Its Access Control product helps to reduce the risks involved in privileged usage by providingmore control over privileged users and their access rights. It addresses administrator access to enterprisedata, includes separation-of-duty controls, addresses server-to-server security across business networksand, using CA Enterprise Log Manager’s facilities, it provides secure management reporting services.Access controlFor organizations in general, one of the most complex IAM issues revolves around maintainingadequate levels of control over their system users. It is an ongoing requirement that has to be enforcedproperly. CA Access Control addresses the across-enterprise access control demands of all commonsystems resources. This includes providing control over all operational systems resources, includingsystems, applications, programs, files and processes.As already discussed, these controls are also required to enforce the separation of administrative dutiesand server controls that are consistent with industry best practices and fulfill audit requirements.FIMToday’s interconnected business environments require partner interactions that involve shared accessto information, making closer collaboration a necessity. Federated partner networks and the need forincreased inter-company connectivity also bring with them serious complexity issues, which necessitateFIM products that are able to share information securely and openly at a level that meets the needs ofeach partner in a federated relationship.CA Federation Manager is a browser-based product that supports federated relationships acrossinternal and external security domains. It controls secure SSO-based interoperability across securitydomains, including the information-sharing (federated) partnerships that organizations choose toactivate with their business partners or cloud providers. The product’s role is to securely manage allinteractions between authorized partnerships, as users transact and collaborate on projects that crossinternal and external security boundaries. This involves enabling seamless access to third-partyapplications, while at the same time using its automation services to drive efficiency and to support newbusiness opportunities.Extended security management facilitiesIncluded in CA Technologies’ extended content-aware IAM infrastructure is the ability to control howinformation is being used. Its additional DLP and security information and event management (SIEM)facilities allow organizations to discover, classify, manage and report on data usage.CA DLP provides a range of data protection facilities that protect data-in-motion across networks, data-in-use on endpoint devices, and data-at-rest on servers and storage repositories. Its use can be alignedwith CA Technologies’ core IAM products so that common usage policies and actions can be set up.CA Enterprise Log Manager enables the filtering, correlation, and consolidation of information andevents, and provides reports that can be presented in a range of business and technical views. It alsoprovides a large number of pre-defined reports tailored to the requirements of specific internationalregulations and best practices.PRODUCT STRATEGYAcross most industries, the core need for identity-based control and protection systems is moving fromthe use of owned and user-managed infrastructure systems to a mixed range of traditional and virtualoperations. The emerging use of cloud services also adds to the need for IAM facilities that can provideoperational consistency. CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE 139
  • CA Technologies recognizes that, despite short-term security concerns, there will be growth in the use of cloud-based environments. It is therefore positioning itself to take advantage of this up-and-coming technology trend with a strategy that includes the provision of ‘security to the cloud’, which extends the use of enterprise security facilities to cloud-based SSO and access control services. Its ‘security for the cloud’ services provide security protection and secure operating environments for cloud providers, and its ‘security from the cloud’ services provide security-as-a-service options for organizations that wish to make use of cloud-based protection services. MARKET OPPORTUNITY The target market for CA Technologies and its IAM suite is large enterprises. The company’s experiences with IAM show that while smaller organizations still need it, their problems are often less inhibiting and generally less severe than those of their larger counterparts. CA Technologies has customers in all markets, but with a strong emphasis on heavily regulated sectors such as financial services, healthcare, and security-conscious areas of government and federal agencies. The company’s products are sold worldwide, but almost two-thirds of its business is still done in the US, with around one-third now coming from Europe, the Middle East and Africa (EMEA) and the emerging Far East markets. Almost 98% of sales are made direct-to-market using the company’s sales team, while the remaining 2% is conducted through resellers and business partners. CA Technologies sees its main IAM competitors as large software vendors such as IBM and Oracle, and to a lesser extent Novell and RSA, as well as Courion in specific areas. GO TO MARKET STRATEGY Two licensing models are available: perpetual licensing, with options that vary by product; and a subscription model. In the former, for example, CA SiteMinder is licensed based on the number and type of user, whereas CA Access Control is licensed based on the number of servers being supported. The subscription model, on the other hand, uses the same licensing metrics as the perpetual approach, but payments are based on annual or multi-year agreements. Key business and alliance partners include Atos Origin, Capgemini, and Deloitte, while country-based- services partners include Devoteam, EDB, Fujitsu (Australia), Logica, and Telecom Italia. CA Technologies has a number of specific technology and distribution partner relationships: Radiant Logic – CA Technologies resells its Virtual Directory. Vordel – the Vordel XML gateway for threat protection is fully integrated into the CA SOA Security Manager product set as an original equipment manufacturer (OEM) product. Others – CA Technologies also partners with over 50 additional technology partners through its technology partner program, including ActivIdentity, Anakam, Imperva, KSI, SafeNet, and Sentrigo. Future enhancements to the IAM product suite are included in CA Technologies’ IAM roadmap. They include the expansion of its content-aware capabilities through the continued integration of complementary components. This approach has particular relevance to CA SiteMinder and CA DLP, which are both being extended so that the sensitivity of the information being accessed can be a factor in the authorization decision. When considering entitlements and the potential for improper use, it covers time-of-access issues and the user’s previous use of sensitive information. IMPLEMENTATION Average implementation timescales range from pilot projects of around 10 working days to enterprise deployments of about 240 working days. Each implementation requires the technical services of systems and database administrators and, potentially, for the enterprise level option, Java programmers. Business support needs to be provided by HR specialists.140 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • CA Technologies offers a range of business support services that can be used to speed up deployment.Its ‘rapid implementation’ approach – which involves fast start-up, fixed-price, and fixed-projectimplementations that cover the most commonly requested IAM functionality – can be used to get IAMservices through to production more quickly. As part of this, CA Technologies offers education,transition, and support services. CA Technologies also offers solution implementations that providemore flexibility in scope and scale in order to address unique customer requirements, as well as post-implementation health checks for product and solution security.A range of support services is available from CA Technologies, including business-critical supportservices, which are provided by CA Technologies’ support team. Business-critical support can beengaged by raising a problem ticket electronically via the web or via direct telephone contact.Customers can also search the CA Technologies problem database for resolutions. Typical supportpricing is set at around 20% of the product licensing cost and is in line with industry standards.Customer training requirements are extremely variable. Most organizations require basic administrativetraining with courses based on the products purchased. These can be provided on site, at a local CATechnologies training facility, or online.Deployment options include on-premise and hosted, with the former option remaining the mostcommonly used. CA Technologies provides consulting, deployment and training services so that itscustomers become confident in managing their own environment. For the hosted option, CATechnologies partners with a number of hosted services providers which manage its solutions fromapproved hosted environments.DEPLOYMENT EXAMPLESBritish TelecomBritish Telecom (BT) provides networked IT, telecommunications and broadband services to customersaround the globe. To support future growth and ensure that its services remained competitive, BTneeded to build close relationships with its customers and suppliers, and provide secure access toonline resources. To achieve this, the company decided to standardize its identity management serviceson a single IAM provider.After an extensive benchmarking exercise, BT chose CA Technologies, and its technology now formsthe backbone of BT’s reusable authentication capability for staff, suppliers, and customers. CATechnologies’ technology is used to perform around 36 million authentication transactions per day andto enable simplified sign-on for all of BT’s user communities.The solution’s reusable authentication capability has helped BT to save an average of £4.5m per annumsince the operation went live in 2004. It is also said to have enhanced overall customer experience andto have improved BT’s competitive advantage by reducing its time to market for new applications. BThas also extended its CA SiteMinder Web Access Manager deployment with identity federation toenable authorized users to access applications and data hosted by some of the company’s suppliers.DBSDBS is one of the largest financial services groups in Asia, with operations in 16 markets, more than200 branches, and over 1,000 ATMs across 50 cities. The company needs to offer transactionalservices to its customers that are fast, convenient, and secure. Previously, it managed identities andaccess from within individual applications. DBS decided to implement an IAM platform that wascentralized and could integrate with its existing online systems. The company selected CA Technologiesand its SiteMinder, Identity Manager, and directory services as the basis of its IAM platform.CA SiteMinder is used to provide two-factor authentication, and to eliminate the company’s previoussecurity silos. Users now have SSO across their financial applications, which has helped to improve theoverall user experience. CA Identity Manager is used to administer user profiles, track the distributionof hardware tokens, and allow customer self-service for password resets.Using CA IAM technology, DBS has achieved the following benefits: two-factor authentication for allcustomers; improved customer satisfaction rates through SSO and self-service; reduced risk of frauddue to improved security; and self-service cost savings. CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE 141
  • The Louisiana Rural Hospital Coalition The Louisiana Rural Hospital Coalition (LRHC) is a state-wide organization that represents 41 small rural hospitals. LRHC is responsible for finding ways to improve the level of healthcare services provided to the rural communities that these hospitals support. The problems it faced included the inability to share hospital records securely, which resulted in Health Insurance Portability and Accountability Act (HIPAA) compliance issues. After a thorough evaluation project, LRHC selected an integrated IAM solution from CA that includes SiteMinder, Identity Manager, and Access Control. CA Identity Manager provides LRHC with a centralized identity administration interface for user accounts. Additionally, it plans to use Identity Manager to provide self-service password-reset facilities. CA SiteMinder is used to authenticate users for the LRHC portal and to control access to its hosted applications. CA Access Control provides authorized administrators with role-based access to the supporting infrastructure and servers, protects sensitive patient data, and enables security policies that enforce the segregation of duties, as required by HIPAA. LRHC recognizes that it has achieved significant benefits through deploying CA Technologies’ IAM technology, including cost savings due to de-duplication, and the ability to share information between hospital practitioners, including shared access to patient records that can be accessed in real-time. Granular authorization to portal applications is also now provided, so that access to these applications is easier, without giving practitioners too many entitlements. World headquarters EMEA headquarters CA Technologies CA Technologies One CA Plaza Ditton Park, Riding Court Road Islandia Datchet, Slough, Berkshire New York 11749 SL3 9LL USA UK Tel: +1 (800) 225 5224 Tel: +44 (0)1753 577733 Fax: +1 (631) 342 6800 Fax: +44 (0)1753 825464 www.ca.com142 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group ENTRUST: Entrust IdentityGuard, GetAccess, & TransactionGuard WWW.OVUM.COM
  • TECHNOLOGY AUDITEntrustEntrust IdentityGuard, GetAccess, & TransactionGuardCATALYSTThe growth in demand by business users and consumers for access to systems and networks from anyavailable location at any time forces IT administrators to provide unhindered access to the intellectualproperty of their organizations, while ensuring that critical data is not compromised. The need to adhereto compliance and regulatory requirements demands further care and collectively drives therequirement for identity and access management (IAM) solutions such as Entrust’s products, whichsupport the effective management of identity, authentication, access, and business and consumerprotection. Entrust provides a well-rounded IAM solution that focuses on business user and consumer needs that necessitate the effective management of user identity, risk-based authentication, and fraud detection. The product set provides a risk-based strong authentication platform that can be tailored to meet specific organizational needs. Fraud protection for consumers is addressed by the TransactionGuard product set. Core markets focus on two significant verticals: government and financial services. The solution also caters for other industries using its extensive range of web and enterprise facilities.KEY FINDINGS Strengths: Makes available a wide range of cost-effective, strong authentication facilities. Fraud prevention facilities are available as a mainstream component of the product set. Weaknesses: Provides a rich and customizable policy platform in its web access control solution, but GetAccess lags behind in current web services standards support. Key Facts: i Does not require additional client software to deliver end-user authentication services. i Entered into a merger agreement with Thoma Bravo in July 2009.OVUM VIEWThe IAM market is highly competitive, as one would expect from a sector that includes large IAM andinfrastructure providers such as Oracle, Sun, IBM, and CA. In response, Entrust provides an impressiveportfolio of identity-based authentication, access control, and user protection products.The latest releases of the Entrust IdentityGuard, GetAccess, and TransactionGuard platforms providean extensive and integrated range of identity management, risk-based authentication, access control,and real-time fraud detection facilities. Their strength comes from the company’s all-round ability tobuild and deliver an integrated set of identity-driven protection solutions that are relevant to theeveryday business and operational needs of a wide-ranging group of businesses, irrespective of theirsize or location. CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD 145
  • By making available a flexible range of single- and multi-factor authentication facilities, Entrust enables organizations to put in place appropriate authentication facilities that balance operational demands against business risk and regulatory compliance requirements. Add to this the solution’s enhanced reporting and auditing capabilities, and Entrust has a well-rounded offering that enables organizations to build an integrated identity-based approach to the management and control of user access. Recommendations The Entrust IAM platform suits large enterprises in that the inherent scalability of the overall solution enables it to deal with large and growing user communities. Traditionally government, financial services, healthcare, and telecommunications have proven to be the company’s strongest areas of success. This is also due to the solution’s regulatory and associated industry control capabilities. In North America, Entrust’s direct sales force concentrates its efforts on large enterprise opportunities. While outside North America and for small and medium enterprise (SME) sales, these are made through partner channels, an area in which sales of its IdentityGuard product set have enjoyed success. Organizations typically select Entrust due to the high quality of its integrated product set, and because of its good reputation for the quality of its customer support and partner services. That the company has a renewal rate of over 90% supports the fact that its products are based on a good technology, and it ranks high in terms of thought leadership, introducing market-relevant technology and understanding business needs. SOLUTION OVERVIEW Entrust IdentityGuard, Entrust GetAccess, and Entrust TransactionGuard form the core components of the company’s IAM technology platform. IdentityGuard IdentityGuard is a risk-based authentication platform that includes the ability to deliver multiple levels of user and server authentication, which can be tailored to meet the risk management requirements of organizations and their various communities of information users. It uses a stateless architecture to deliver its services; therefore, load balancing and failover are easily accomplished using redundant servers. GetAccess GetAccess is a web-based, high-performance, functionally scalable web access control solution. Its role involves the provision of centralized access management to multiple applications using a single portal approach. The product has the capability to support SSO environments, provide access control to systems and applications, and control entry down to authorized groups, roles, and individual users. In addition, it is looking to extend its influence to the federated management requirements of internal and external access-control relationships. TransactionGuard TransactionGuard is a real-time fraud detection solution consisting of three core components: Real Time Fraud Detection, FraudMart, and the Open Fraud Intelligence Network, which transparently monitors transactions and uses passive detection techniques to identify fraudulent activity. The product uses behavioral understanding of transaction patterns and non-invasive fraud notification methods to deliver its protection services. Its real-time fraud detection identifies “normal” patterns of behavior via a rule-based approach (which helps reduce false positives) in combination with other factors such as the user’s location, the time of day, and function usage patterns. All these factors are individually assessed by user-configured rules, which are used to determine a risk score. Based on the score attained, TransactionGuard uses application logic to decide what action is appropriate (for example, to stop a transaction based on potential fraud, or make contact with the customer to discuss the circumstances).146 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Figure 1: Entrust Architecture Source: EntrustCombining the use of Entrust’s IdentityGuard, GetAccess and TransactionGuard products enablesorganizations to leverage full control over who gets access to corporate information, as well as dealingwith customer and citizen access to applications. It then, at a transaction level, takes into account therisk factors and requirements of all users and systems involved.It is clear that some identity management solutions make demands on their clients that either do not fittheir individual risk profiles or do not realistically meet their security needs – either under- or over-delivering on their protection requirements. Entrust’s solution, on the other hand, appears morepragmatic, offering a more focused approach that ensures that its services and protection products areable to closely fit the needs of individual customers.Entrust also provides an extensive range of complementary identity, access control, and user protectionproducts that can be tailored to meet the needs of organizations and their users. These include: Entrust Authority, Entrust’s public key infrastructure (PKI) solution, which supports the delivery of encryption, digital signature and secure authentication services, and is offered as both a self-hosted solution or as a service. Entrust Certificate Services are available to secure and increase confidence in an organization’s website. This is achieved by providing secure sockets layer (SSL) communications between web browsers and web and application servers, thereby enabling the security management of digital certificates, including support for Extended Validation (EV) and Unified Communication (UC) certificates, as well as Code Signing and Adobe Certified Document Service (CDS) certificates to enable trusted software and digitally signed documents. Entrust Entelligence Suite, which delivers a portfolio of products that provide organizations with SSL services across multiple enterprise applications. It includes: Entelligence Security Provider (ESP), a desktop protection component; a messaging server (the company’s secure email gateway product); and Group Share, a network folder encryption product. The suite supports strong authentication techniques, including the use of digital signatures and encryption, and provides PKI protection for desktop users to securely authenticate their access rights. CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD 147
  • Entrust Secure Transaction Platform, which supports the secure use of web services transactions. In the web services environment, it provides a range of authentication, authorization, digital signature, and encryption facilities. Entrust TruePass is a PKI-based web security product that provides persistent security from the browser through to the web server, and to back-end application servers when authenticating visitors to a web portal. It enables users to digitally sign online transactions, and supports persistent data encryption and digital receipts. Another of its primary roles is to increase confidence in the use of online transactions. In partnership with SafeNet, Entrust distributes SafeNet iKey 2032 tokens as Entrust USB tokens, which provide two-factor authentication to desktops, virtual private networks (VPNs), wireless LANs and web portals for secure remote and network access. They are also designed to work with Entrust’s PKI product set. The company provides a range of enterprise-level, encryption-based content protection facilities to protect information assets as they enter and leave the organization, but is not looking to provide a full DLP offering. In its latest version, Entrust has enhanced its range of authentication options by providing organizations (in partnership with SafeNet) with a multi-purpose secure smartcard. This device is capable of generating and storing all of a user’s personal credentials, including private keys, passwords, and digital certificates. SOLUTION ANALYSIS Authentication In addition to the use of the various one-time password (OTP) hardware and software tokens that are available within the Entrust IdentityGuard solution, the range of authentication methods supported are extensive. They include: Grid authentication – plastic or paper cards with unique alphanumeric grids. Machine authentication – authentication of each user’s preregistered machine at login or during high-risk transactions. Mobile authentication – out-of-band authentication enables software-based, one-time-passwords to be generated on a user’s mobile device, or sent to the device using SMS, email, PDA, voice, or other supported channels. In addition, Entrust IdentityGuard Mobile provides strong authentication for online financial transactions, providing users with details of their transaction out-of-band and generating an OTP on the mobile device based on the transaction details. Digital certificates – leveraging existing X.509 digital certificates issued from Entrust or a third party to authenticate users. Certificates can be stored locally or on secure devices like smart cards and USB tokens. Organizations without an in-house PKI can obtain certificates via the Entrust Managed Services PKI. Knowledge-based authentication – an approach that is supported by challenging each user to answer preregistered questions. Scratch card authentication – users are supplied with unique OTP lists – each use provides OTP authentication and is then redundant. IP geo-location authentication – assesses a user’s identity based on geo-location technology. Mutual authentication – allows end users to respond to an image and/or text that is unique to them in order to authenticate the service to the user. Entrust also supports image and pass-phrase replay, a personalized and responsive approach in which a user-selected image or phrase is displayed to prove that a site is valid. Entrust’s use of soft mobile authentication tokens has significantly improved its range of authentication services, and its out-of-band transaction verification and SMS features are particularly relevant, given that man-in-the-middle and man-in-the-browser attacks are on the rise. This dynamic approach enables organizations to use extended and difficult-to-compromise authentication techniques.148 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Enterprise and web SSOIn web environments, Entrust IdentityGuard sits behind existing SSO/access control applications. Itmakes third-party authentication checks, effectively challenging the user and returning a pass or failassertion to each access request. For enterprise remote access deployments, the product normally sitsalongside an existing remote authentication dial-in user service (RADIUS) server to provide the sameassertion services.GetAccess provides role- and rule-based service delivery approaches. When used as an integratedcomponent of an Entrust identity management strategy, it enables web SSO identity profiles to be usedacross an organization’s infrastructure and beyond where conformant third-party federated agreementsexist. This level of protected access is delivered through the integrated use of centralized provisioning,workflow, auditing, reporting, and self-service delivery facilities.User provisioning and role managementEntrust GetAccess uses policies to enhance role-based access control (RBAC) and to restrict useraccess to portal resources based on context-sensitive granular policy controls. It also provides logginginformation, which helps organizations track and control user access and policy execution. At the sametime, Entrust IdentityGuard allows administrators to centrally access user and authenticationmanagement functions through its well-laid-out web administration interface. The interface enablesadministrators to create and assign authenticators to users, create policies based on groups and rolesas well as across all users, assign temporary pass codes, configure necessary authentication methods(as per the needs of the organization), and update user status. All of these functions can also beperformed using a web services application programming interface, which supports easy integrationwith user identity management and provisioning systems.Password managementThe ability to manage passwords comes as a standard part of the Entrust IAM product set. The offeringprovides an open range of password control facilities that can be tuned to meet an organization’s needs.The Entrust approach allows decisions on required password controls to be taken based on useraccess and information needs. Using the IdentityGuard Self-Service Server, the solution allows usersto self-enroll. It also helps administrators to manage their users effectively. This includes activities suchas self-registration (choosing a mutual authentication image, registering for either a grid or token, orboth) and self-administration tasks (unlocking a challenge response token or changing or recovering apassword). GetAccess’s session management service is also used to create, validate, and remove usersessions and provide session-tracking facilities.The Entrust IdentityGuard Server is used to capture user activities, which, in turn, expands thesolution’s reporting capabilities. Its workflow capabilities allow customization to take place so thatorganizations can configure interlinked commands as per their process needs. For example, this couldinvolve configuring a series of commands to ensure that appropriate individuals are notified if aparticular user loses their card or token.Access managementAuthentication requests accepted during enrollment or login are managed by the Entrust identificationservice. It forwards each request to the authentication and authorization modules or supporting webservice for validation. The systems authentication modules contain specific functionality for eachparticular type of authentication request and, if a request is successful, a new session is grantedthrough the Entrust GetAccess session management service.Entrust GetAccess delivers a range of services that effectively handle all key access managementrequirements. These include runtime services for web servers that intercept incoming requests forresources, and the GetAccess entitlements service makes use of facilities that determine and controlthe resources each user is allowed to access.Other access management facilities supported within the GetAccess product set include login services,multi-domain services, and registry services. The system’s authentication and authorization modulesare used to support authentication methods, including user ID and password, Lightweight DirectoryAccess Protocols (LDAPs), Vasco tokens, X.509 certificates and smartcards, Microsoft .Net services,plus Entrust-specific and third-party authentication and authorization modules. CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD 149
  • FIM Entrust GetAccess provides SSO and single log-out across multiple applications that can reside in a single domain, multiple domains, or in domains that are federated through Security Assertion Markup Language (SAML) 1.x or 2.0. It supports integration with an organization’s web partners and affiliates to deliver an improved and seamless end-user experience. Using its SAML capabilities, GetAccess provides identity federation services as both an identity provider and a service provider. GetAccess is certified for the US government’s eAuthentication initiative, and completed SAML 2.0 conformance under the Liberty Alliance in 2006 and again in 2009. Because of the product’s attribute sharing capability, it is possible to validate authentication across federated or bridged PKI environments. Entrust believes that the market is just starting to recognize the need for fully-featured federation services and is keen to extend its portfolio to include specific identity federation capabilities in other products. To achieve this objective, the company will be extending its SAML support to IdentityGuard during 2010. PRODUCT STRATEGY Entrust has set its target market fairly wide for its IdentityGuard and GetAccess solutions. These products are generally targeted at medium to large enterprises that are looking to make use of a cost- effective, strong-authentication IAM solution. Additionally, IdentityGuard’s design has also allowed it to be deployed in SMEs. The one exception to this open-market approach is TransactionGuard, which, due to the focus of its core fraud detection facilities, is primarily targeted at financial institutions. Entrust makes great play of its products’ return on investment (ROI) capabilities. For example, Entrust IdentityGuard’s ROI, compared with other traditional two-factor authentication solutions, is positioned as a low-cost option, focusing mainly on the use of non-infrastructure-based authentication methods that are less expensive to acquire, deploy, and manage. The supporting and very credible argument in favor of this approach is that IdentityGuard gives customers an open choice. Entrust does not mandate strong or weak authentication; customer organizations can make their own choices based upon strength, usability, regulatory compliance and risk profile requirements. Other measurable savings include reduced helpdesk overheads, due to the availability of self-service facilities that result in lower levels of password reset requests. Entrust operates a multi-channel go to market strategy that includes direct sales in North America and sales via strategic partners in Europe and Asia. It also makes use of value-added reseller channels. IMPLEMENTATION Entrust positions its implementation approach as low-risk, with minimal impact on the existing operational systems. In the main, this is due to there being no need to modify a customer’s applications. Entrust deployments typically involve product installation, configuration, fraud rule tuning, live deployment and associated operational training. Entrust claims that its IdentityGuard, GetAccess and TransactionGuard solutions are straightforward to deploy; in particular, it claims that there is no firm need to use specialist resources to implement the company’s solutions. For example, Entrust IdentityGuard is positioned as straightforward to install and, in operational use, leverages and integrates with existing user repositories, such as AD, other LDAPs, or database structures. Web application integration is accomplished using simple Java calls or direct Simple Object Access Protocol (SOAP) calls. For front-end integration requirements, such as working with remote access VPN systems, change requirements are limited to configuration changes within associated RADIUS servers. However, Entrust also makes available the facilities of its own professional services expertise. For any IAM vendor, putting an accurate figure on average implementation timescales is difficult, as no two identity management projects are the same, and customer requirements range from simple to complex. However, across the board, Entrust products provide good platform support for a decent range of mainstream servers, web servers and databases. Entrust can provide appropriate training for all of its products, and detailed documentation is available to back up its efforts. The company provides 24/7 first- and second-line telephone support for its complete product portfolio, and makes available customer extranet facilities.150 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Entrust is privately owned following the July 2009 decision of its stockholders to approve its mergeragreement with Thoma Bravo. As a result of the increased financial backing that the new relationshipprovides, the company’s future points toward growth through appropriate mergers and acquisitions,which will also help Entrust to remain a focused identity-based security company. Thoma Bravo is aleading private equity investment firm that has been providing equity and strategic support toexperienced management teams and building growing companies for more than 28 years.DEPLOYMENT EXAMPLESBank of New ZealandBank of New Zealand selected Entrust’s IdentityGuard product based on its ease of use and the ability ofthe company to brand the grid card that it needed to use, and because of the significantly lower cost peruser that it was able to achieve. Deploying Entrust IdentityGuard enabled Bank of New Zealand to offerstrong authentication to all new consumer banking customers, rather than a just a subset of users. Duringthe first phase of the project, approximately 25,000 users were deployed within two weeks of the launch. Inless than nine months, the bank issued over 130,000 grid cards, which represented close to half of itscurrent online population. As a next step in the bank’s campaign against online fraud, it implementedadditional Entrust IdentityGuard capabilities, including device, knowledge-based and mutual authentication.Banco SantanderNeoSecure SA is the first Latin-America-based Entrust partner to implement and deploy EntrustIdentityGuard. Based in Chile, NeoSecure was responsible for developing a robust authentication solutionfor Banco Santander, based on Entrust’s IdentityGuard technology. This solution has significantly increasedthe level of security for the bank’s clients, protecting online users against data breaches and identity fraudwhile conducting Internet banking transactions. Use of the IdentityGuard solution is evolving and is now alsobeing used to support authentication for the organization’s telephone banking operation. These innovativefacilities are being offered by the bank free of charge to their customers.XeroxXerox operates in 160 counties with 53,700 employees worldwide. The company’s previous onlineauthentication solution made use of expensive, battery-powered tokens for roughly 20,000 members ofits workforce. Its target was to protect four times that number of employees, contractors and businesspartners (approximately 80,000 users) with a more seamless and cost-effective solution. Theorganization realized that the implementation of strong, two-factor authentication was necessary toprotect its business and users from today’s online threats. It chose the Entrust IdentityGuard grid cardauthentication solution because this simple-to-use and cost-effective solution provided a flexible andlow-cost answer that allowed Xerox to meet its extended user protection and cost-saving goals.DnB NORDnB NOR is the largest financial institution in Norway. It is responsible for the protection of more than 1.7million online consumers and private and corporate banking customers. The organization wished toimplement a seamless fraud detection strategy that would not require invasive integration with its existingback-end applications. To achieve these objectives, DnB NOR is using Entrust to provide real-time frauddetection and historical analysis facilities. The use of its fraud protection tools, coupled with critical data fromthe Entrust Open Fraud Intelligence Network, is being used to help protect against online transaction fraud.The real-time protection facilities provided by Entrust also enable DnB Nor to collect data that help theorganization to identify current and future potential fraud threats before they happen.US BankUS Bank, a top-five commercial bank in the US, was initially looking to address fraud threats within itsonline retail banking application. It implemented Entrust’s TransactionGuard real-time fraud detectionsolution to provide visibility to all web interactions with customers. The solution allows the client tomonitor user transactions for fraudulent behavior and perform forensic analysis to determine whathappened in cases of fraud. TransactionGuard also enables the bank to define new fraud rule patternsfor automated detection. The organization quickly expanded its use of the Entrust solution to protect 28retail and business banking applications without affecting its existing banking applications, and is furtherextending its use of the solution to include strong authentication via Entrust IdentityGuard, which will betriggered by risk levels determined by TransactionGuard. CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD 151
  • Entrust worldwide headquarters EMEA headquarters One Lincoln Center Unit 4 Napier Court 5400 LBJ Freeway First Floor, Napier Road Suite 1340 Reading, Berkshire Dallas, Texas 75240 RG1 8BW USA UK Tel: +1 (972) 728 0447 Tel: +44 (0)118 9533000 Fax: +1 (972) 728 0440 Fax: +44 (0)118 9533001 www.entrust.com152 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group EVIDIAN: Evidian IAM Suite (version 8) WWW.OVUM.COM
  • TECHNOLOGY AUDITEvidianEvidian IAM Suite (version 8)CATALYSTThe Evidian IAM Suite consists of a broad range of integrated and modular identity and accessmanagement (IAM) components that enable organizations to employ a controlled and coherentapproach to the management of user identity and access control policies in support of their enterpriseoperations. Evidian IAM is used across all business sectors. Particular focus is currently being placed on government and healthcare in the public sector, and on specialist trading elements of financial services operations. Systems access demands extend beyond corporate boundaries, and information needs to be shared with business partners. This is a cross-industry solution that provides a pragmatic approach to federation. Its key components are: role management, which defines and applies security policies; identity management, which controls digital identities; and access management, which secures access to systems and data. The primary market for the Evidian IAM Suite is medium- to large-enterprise organizations that are looking for an integrated IAM approach that functions across distributed heterogeneous infrastructures.KEY FINDINGS Strengths: A mature product that supports key areas of access, identity, and role management. Unifies and maintains control over user access rights, irrespective of location, while retaining the required levels of control on behalf of the business. Weaknesses: Market penetration away from EMEA, particularly into North America, remains elusive. Key Facts: i Operational platforms supported include Windows, Linux, Solaris, and IBM Advanced Interactive Executive (AIX). HP/UX and z/OS are supported as provisioning connectors.OVUM VIEWEvidian IAM Suite (version 8) is a fully featured IAM offering. Its core components cover the key userand systems control areas of role management, identity management, and access management. Withinthe solution, Evidian adopts a workflow-driven, policy-based approach to address how its identity-centric access control facilities are delivered. It then continues to retain all elements of user and usagecontrol as the requirement extends to managing federated relationships with business partners. CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8) 155
  • The strength of the solution comes from its ability to unify and maintain centralized control over user access rights, while building automated delivery processes that support ease-of-access for all users, and retaining the required levels of control on behalf of the business. Central management is supported by the product’s ability to operate across distributed environments and efficiently deliver local services at source. To date, many IAM projects have struggled to achieve their aims due to overly complex objectives and unrealistic goals. Whenever practical, Evidian uses a simple start-up approach that focuses on key business requirements such as SSO services for the most important user groups, and then switches to a phased approach that can be extended to deliver enterprise and wider benefits. Recommendations Organizations that can gain business advantages from an enterprise or even a global enforcement policy towards the management of users and their systems’ access rights should consider the Evidian IAM Suite. It is recommended particularly for those that operate distributed operations or support the access needs of remote and mobile workers. To date, Evidian has not provided a solution that addresses the small business market, and this remains an area where it has little or no presence. However, things are likely to change over the next two years. The company is preparing a packaged SME approach (for organizations with 500–5,000 users) that will start with the release of its Ready-To-Go SSO edition of access management. Evidian provides an inclusive set of IAM facilities that have the control and flexibility to address the needs of a wide range of business organizations. This makes the Evidian IAM Suite the type of user and business protection product that organizations ought to deploy and retain. SOLUTION OVERVIEW Evidian IAM Suite is both an integrated and modular IAM solution. The suite has three core components: role management, identity management, and access management. Role management Role management defines, applies, and manages security policies within the IAM environment. Its services are aligned with the need for strong business-focused protection processes. Role management services are delivered using the Evidian Policy Manager and Evidian Approval Workflow products. Evidian Policy Manager provides a single-console control approach to web and enterprise usage. It defines and enforces organizational security policies. Policy Manager delivers its services using the Evidian reconciliation engine to detect and report on differences between an organization’s identity and access policies and the actual state and access usage of its systems. The product controls the organization’s IT security policy as it relates to system users, their roles, and their access rights. Using Evidian Policy Manager, an employee’s usage rights depend on their role within the organization; therefore, their access permissions relate directly to real-world business roles. Evidian Approval Workflow automates decision-making chains, from access rights approval to account creation. It puts in place an organized responsibility chain to deal with the lifecycle management of identity. Workflow processes are defined through a graphical interface using a web forms feature, and are equipped with escalation and delegation facilities triggered by predefined control parameters.156 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Policy Manager Approval Workflow Requests Reconciliation Identity Administrator process repository End user Administrator User SIB Reconciliation Provisioning Provisioning process ApplicationsFigure 1: Evidian Identity and RoleManagement Architecture Source: EvidianIdentity managementEvidian identity management addresses the creation and maintenance needs of users and their digitalidentities. Its services are supported by Evidian’s User Provisioning and ID Synchronization products.Evidian User ProvisioningEvidian User Provisioning enables administrators to automatically provision user accounts and theirinformation across distributed and heterogeneous environments. Once usage policies have beendefined, User Provisioning ensures that they are enforced. The product’s automated reconciliationengine checks policies against what is happening in the live environment and, where necessary, allowscorrective actions to be taken. Integration with the suite’s SSO facilities assists with the identification ofinactive or orphan accounts, and approval workflow is used to automate decision-making chains.Evidian ID SynchronizationEvidian ID Synchronization creates a sustainable identity repository to store all identity-related data. Itsynchronizes and consolidates identity data and uses it to build an organization’s LDAP directories. Theapproach is particularly valuable to operations that work across distributed environments with multipleheterogeneous identity sources, and can also be used to create directories from scratch. CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8) 157
  • Access management Evidian access management secures access to systems and applications by controlling how users make their connections. It delivers strong authentication, password management and access auditing services. The Evidian products involved are Evidian Enterprise SSO, Evidian Web Access Manager, Evidian SOA Access Manager, Evidian Access Collector and Evidian Data Privacy. Evidian Enterprise SSO Evidian Enterprise SSO is a fully featured and scalable SSO product. Its services operate in conjunction with complementary security products such as multi-factor authentication tokens, smartcards, USB keys, biometrics, and certificate-based digital signatures. Self-service enrollment facilities are included. They are delivered through a browser-based interface that enables authorized users to self-enroll, amend passwords, and reset existing credentials. Evidian Web Access Manager Evidian Web Access Manager is a central access control facility for web applications. It supports the use of password, RADIUS, token, certificate, smartcard and biometric authentication. The product enables secure interoperability across federated user communities through its support for SAML-based identity credentials. Evidian SOA Access Manager Evidian SOA Access Manager delivers authentication and authorization services for multi-domain applications operating in SOA environments. It supports the access needs of users from other domains of the enterprise and known users from outside of the corporate perimeter, such as external customers or business partners. Evidian Access Collector Evidian Access Collector brings together existing access policies and user accounts. It records and stores them in an LDAP directory, and uses the data to build a complete operational picture of which users have access to each of the organization’s systems and which accounts are actively being used to provide that access. Evidian Data Privacy Evidian Data Privacy deals with access protection at file level. It is made up of two separately licensable components: Evidian Laptop Protection (for the protection of files on a PC) and Evidian File Encryption (for the protection of files exchanged between groups of users over a network). Authenticate and retrieve policies Security Authenticate and Middleware retrieve policies Access WG data Secure Access Security Middleware Strong WAM Authentication E-SSO Audit Mobile E-SSO Perform SSO Perform SSO Figure 2: Evidian Access management Architecture Source: Evidian158 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • SOLUTION ANALYSISAuthenticationOrganizations need to be concerned about the strength and quality of the authentication componentsthat their IAM suppliers are able to support. Evidian controls how users are allowed to access theircomputer systems and data through the use of strong authentication techniques, passwordmanagement, and authenticated usage monitoring. It uses authentication methods that are mostappropriate to organizations and their users. This can range from simple passwords, which remainuseful in the right environments, through to OTP tokens, smartcards, and biometrics on corporate PCswith remote access connectivity and SSO requirements.Enterprise and web SSOClean access and usability are key issues for all system users. Once a user’s credentials have beenaccepted and access is allowed, it is important to be able to move between applications withouthindrance, while retaining the right levels of security and access control. Evidian Enterprise SSOprovides mature and scalable SSO facilities with a proven track record. It combines ease-of-use withthe organization’s need to comply with regulatory demands and security policies. Evidian Web AccessManager delivers the solution’s web SSO capabilities.Provisioning and role managementSome of the most neglected areas of IAM include elements of provisioning and role management. Poormanagement and lax maintenance have led to situations in which organizations have lost control overtheir users. Evidian’s user provisioning and role management facilities address these issues bycontrolling and automating the delivery of access rights and associated services. Its approach helpswith compliance, as access procedures are formalized and enforced from a single manageable source.Auditors can also check that the deployed services are effective and appropriate. For the business, therequirement involves ensuring that users are provisioned with the access facilities they need to fulfilltheir operational roles, while restricting access to sensitive data. Evidian ensures that each employee’sprovisioned rights are controlled by their role within the organization, place of work and responsibilities,so their access matches real-world roles. It also addresses the need for automated de-provisioningservices that match the organization’s access policies.Password managementAlthough often talked about as the weakest link of IAM, password management remains a cornerstoneactivity. The term covers anything from simple-to-discover fixed passwords through to well-structured,frequently updated password management infrastructures, which can be fully integrated with other coreIAM components including SSO, role management and associated helpdesk services. Within EvidianIAM, password management is supported by a relevant and responsive set of facilities that includesstrong password-based authentication techniques. Taking into account the need for good workingpractices and to comply with an organization’s security policies, Evidian’s approach to passwordmanagement also recognizes the ease-of-access demands of the whole user community. Its businesscontinuity approach supports always-online user access demands, and even allows users who forgettheir authentication tokens to be given temporary and controlled password access.Access controlAccess control manages which systems authorized users can get access to, when that access isallowed, and what they can do once they are there. For many organizations, one of most complex tasksis maintaining the right levels of control over their system users. This is an ongoing activity that has tobe properly enforced from the beginning if it is to be effective. Evidian recognizes that a common issuein IAM projects is the need to efficiently collect existing access policies and user accounts. It speeds upthe collection phase using a combination of its access management and enterprise SSO products. Useraccess is continuously analyzed and, over an appropriate time frame, Access Collector builds acomplete view of who has access to what systems and which accounts are being used. This informationforms the basis of role-based management and can be deployed. The product’s reconciliation engineis then available to maintain control over any differences between the policies in place and live usage. CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8) 159
  • FIM As business requirements extend beyond corporate boundaries, the requirement to share information and maintain control over who has access to that information brings with it the need for FIM. Supply chain demands for instant information access and business partner and internal inter-departmental requirements to collaborate on projects all require the sharing of information. Evidian provides facilities that support interoperability across federated communities. It offers SAML-based identity credentials and makes use of the product’s access management functionality to support the approach. Evidian also takes a very pragmatic stance on FIM. It believes there is no need for complex inter-company integration, and that internal and external projects that require federated collaboration should be controlled through local arrangements. PRODUCT STRATEGY Evidian provides a horizontal IAM offering that is applicable to most markets. The company has an established presence across many industries, and is particularly strong in EMEA. However, in areas such as North America, its products are less known. At present, Evidian is focusing its attention on two areas in particular: government organizations, addressing public sector requirements in general and healthcare in particular; and working with financial institutions, focusing on the provision of value-added services, such as authentication management, that meet the needs of trading rooms or remote branch operations. In addition to Evidian’s continuing efforts to sustain and grow its core markets (organizations with 5,000- 100,000 users), the company is developing packaged IAM products for the SME community (500-5,000 users). The first offering was launched as a Ready-To-Go SSO edition of access management, and further packages are expected during 2010 and 2011. Market-focused versions are also being introduced. An example of this is its IAM suite for healthcare, which will include workflows and provisioning connectors specific to the healthcare environment. Further industry releases are planned for retail stores, regional communities, and SMEs. The company has also seen an increase in demand for global reinforcement and management of user access controls in the extended enterprise, and recognizes that to achieve these objectives, it needs fully featured access management facilities. Therefore, it is providing secure web and enterprise SSO facilities for users of core applications, regardless of their origins, which could include access requests from diverse sources such as corporate PCs, cyber cafes and personal devices. ROI is realized through enhanced security, automation, and productivity improvements, which are enabled through the use of the Evidian IAM suite. A primary ROI driver is helpdesk call rate reduction, as most helpdesk overheads involve requests for password resets. Evidian provides self-service reset facilities, substantially reducing the need for helpdesk intervention. The route to market for Evidian in EMEA is mainly direct or through its parent organization, Bull, for sales into the public sector or opportunities in Eastern Europe and Africa. The company also makes use of other partner channels. In North America, it has an OEM agreement with Quest Software, while in Asia its main OEM partner is NEC Computers. In addition, Microsoft frequently recommends the Evidian Enterprise Single Sign-On (ESSO) solution in EMEA. Other technology partners include Oracle, Microsoft, Gemalto, RSA, HID, Precise Biometrics, Upek, AuthenTec, and BIO-key. Evidian’s product release strategy involves one major release and one minor release per year. Its licensing is perpetual on a per-user basis. Contract values depend on the number of users as well as the number of modules within the IAM stack that are being licensed. Typical entry-level projects for a small SSO project cost about €40,000, with a 70/30 split between software and services. Average-sized projects, including full access management and dedicated customer deployment, cost around €400,000, with the same 70/30 split between software and services. The largest projects that deliver full IAM deployments and have a 50/50 cost split come in at around €1m. Evidian is a Bull Group company and was established as a corporate subsidiary in July 2000. Bull is an international group that specializes in designing secure IT infrastructure.160 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • IMPLEMENTATIONIAM implementations tend to be highly technical resource-hungry operations. Timescales varydepending on project complexity and overall requirements. Evidian took these issues on board andcame up with an approach that allows simple SSO deployments to be completed in days, rather thanweeks. Taking in the bigger picture, access management deployments can be completed about 10 daysfor a pilot project, 20 days for a 30-user departmental deployment, and around 30 days for a 500-userenterprise deployment. Typical skills required will include knowledge of directories and applications. Forfull IAM projects, the average timescales increase to 20 days for a pilot project, 40 days for a 30-userdepartmental deployment and 50 days for a 500-user enterprise deployment. For full IAM deployments,the required skills are more extensive, covering directory and database skills (provisioning connectors)and web page design (workflows).Evidian’s total customer base includes more than 600 organizations, with over 450 using its IAM productset (77 of which were new additions during 2009). To support all implementation requirements, Evidianprovides: A range of professional services that cover architecture and deployment approaches. IAM integration expertise in the key areas of strong authentication techniques, including the integration and validation of non-standard smartcards and specifications for setting up biometric and radio-frequency identification (RFID) operations. Installation skills that cover high-availability set-up and clustering operations, and verification with selected directory infrastructures. Testing and performance-setting skills. Development and integration of customer-specific or third party components and procedures, including the use of custom migration tools.A range of on- and off-site training courses are available to cover simple access management training,as well as training for global IAM projects.Technical support for the solution is available on three levels. Standard support provides callback withina four-hour time frame and is charged at 19% of the contract price. Extended support provides callbackwithin a two-hour time frame and is charged at 28%. Personalized support is designed to fit eachcustomer organization’s specific needs (charge rates are governed by the specified requirement). Eachoffering covers product usage issues, the identification of problems and available solutions, answers tonew problems, supported release issues, and new fixes. Round-the-clock access to the company’ssupport website is also available.Platforms supported include Microsoft Windows, Red Hat Linux, Suse Linux, Sun Solaris (versions 8,9, and 10), and IBM AIX (versions 5 and 6).DEPLOYMENT EXAMPLESA leading energy company with over 110,000 employees and operations in more than 130 countriesselected Evidian Enterprise SSO and Evidian Web Access Manager to simplify and secure its passwordmanagement systems and improve access to applications using secure smartcard authentication. Theaim of the project is to improve usability and security through the rigorous engagement of useridentification and strong access controls that link to validated user profiles, audits, and alarms. A furthertarget is to reduce support costs associated with the management of passwords. Successes achievedinclude 24/7 access to IT systems, scalability across international branches from an enterprise-widedeployment to 70,000 PCs, and improved security that protects access and audit information.A leading banking services provider with over 3,000 branches and more than 9.5 million individualcustomers chose Evidian to provide its Enterprise SSO, Windows and multifactor authenticationservices, self-service password reset facilities, kiosk, mobile ESSO, and group reporting services for allits corporate, retail, and international banking activities. A further innovative “cluster mode” project iscurrently in its pilot phase in the company’s trading rooms. CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8) 161
  • A leading provider of technology solutions to the travel industry selected Evidian’s identity management, user provisioning and access management products to manage and protect its Intranet and Extranet applications. It also implemented Evidian Enterprise SSO and Evidian Web Access Manager. The product set is used by over 8,500 staff across several countries, with Evidian SSO providing transparent SSO access to all applications. The range of operational systems supported includes Windows, Web, Unix, Lotus Notes, and IBM mainframes via 5250 and 3270 emulation. Bull Evidian Bull Evidian Rue Jean Jaures Concorde House BP 68 Trinity Park 78340 Les Clayes-sous-Bois Solihull, Birmingham France B37 7UQ, UK Tel: +33 (0)1 30 80 70 00 Tel: +44 (0)870 2400040 Fax: +33 (0)1 30 80 73 73 Fax: +44 (0)121 6355691 E-mail: info@evidian.com www.evidian.com www.evidian.co.uk162 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group HITACHI: Hitachi-ID Portfolio WWW.OVUM.COM
  • TECHNOLOGY AUDITHitachiHitachi-ID PortfolioCATALYSTIdentity and access management solutions enable user access rights to corporate systems to bemanaged efficiently and securely. Hitachi’s ID portfolio has some important differentiating features: Hitachi has adopted a practical approach to role and group management that allows these functions to be used only where they are helpful. It regularly reviews access rights to remove obsolete entitlements. Password synchronization enables access to most applications and delivers the productivity benefits of an SSO product without the complexity of maintaining tables of passwords for each user. Reduces helpdesk and administrative burden through a good range of self-service features, including interactive voice interaction.KEY FINDINGS Strengths: The password synchronization approach gives a simple and secure access management mechanism. Integrates with a broad spectrum of target applications, platforms and service desk tools. Automates the access certification and request management process. Weaknesses: Risk-based reporting of existing access rights would have been useful. Greater focus on defining user groups would be welcome. Key Facts: i Provides phone- and kiosk-based self-service password reset options for lock- out situations.OVUM VIEWThe IAM function faces a number of challenges. Most large enterprises have deployed many packagedand homegrown applications that have their own access management components (with their own roledefinition and entitlements), and possibly an overarching provisioning system.Traditionally, access permissions are managed in a corporate LDAP directory, such as AD. Systems ofGroup Policy Objects have become very complex. Most access requests are managed using an ad hocsystem of emails to supervisors and administrators. In the absence of an easily understandable recordof entitlements, an out-of-date and insecure entitlements situation is almost inevitable. Together with theproliferation of passwords that users have to remember for the applications they use, this leads to theservice desk team being inundated with access requests and password reset requests. Over andbeyond these familiar access management and governance challenges are areas where legacytechnology has been inadequate. One such area is controlling access by users with administratorprivileges. To summarize, the typical IT organization has many IAM challenges to address, and theproblem cannot be ignored because of numerous regulations. CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO 165
  • Predictably, the vendor community has come up with a number of approaches to address these problems. One of the approaches is SSO, which enables users to access a number of applications using one set of credentials. Users authenticate to the SSO module, which stores the credentials for all target applications, and the SSO module authenticates the user to the target applications. A more recent, and complementary, approach is seen in identity governance solutions that model roles and assign access rights to these roles for accessing applications (linking the business object “role” with target application-specific definitions). In addition, they provide workflows that automate access requests and access certification processes, provide the infrastructure for analyzing the existing access rights situation, and give risk-based reporting for compliance purposes. While these approaches go a long way toward addressing access management issues, the technologies also bring a new set of problems. For example, the role management capabilities within the identity governance solutions, while very useful, require large upfront investments in time and effort. Every IAM solution operates using a mix of top-down (role definition based) and bottom-up (access request driven) mechanisms. Some of the current approaches to rationalizing the access management environment go further toward top-down strategy than most client organizations find convenient. SSO also requires considerable initial investment to integrate the platforms and applications that it is required to control. The Hitachi-ID portfolio offers solutions that are appropriate for most large enterprises. Its password synchronization technology, together with its ability to integrate with most common enterprise applications (which enables rapid deployment), enables the user to access most applications with a single password. In addition, access rights are largely granted through user requests for access and periodic access reviews. Even the task of building an accurate representation of how the organization is structured has been shifted, intelligently, to business managers. Hitachi-ID supports a hierarchical reporting model that can be imported from some human resources tools, and allows other “dotted” reporting lines to be recorded. Supervisors regularly review their list of subordinates. The main drawback with this model is that it does not recognize the situation in which employees report to different managers when performing different roles. Hitachi also has a realistic view of how the concept of a “role” can be used to define access rights. It allows roles to be used where several users have similar requirements, but it does not force administrators to define roles for users who have unique requirements. Some other tools force administrators into situations where they have to define more roles than they have users. Hitachi, however, allows a more ad-hoc approach that reduces the effort required to get the identity management system operative. It also provides an RBAC enforcement engine that identifies discrepancies between user permissions and their roles (where appropriate). Ovum believes that Hitachi-ID’s focus on reducing the administrative and helpdesk burden and the company’s focus on bottom-up IAM reflects the way in which organizations operate. Recommendations An organization that has a legacy or homegrown IAM system should consider the Hitachi-ID suite. Typically, this system would use application-specific links, and paper, email, and service management platform-based ad hoc processes. Organizations that need to satisfy regulatory compliance and where access controls are not in alignment with current accountability requirements should evaluate Hitachi-ID. One particular area of concern that Hitachi-ID addresses well is privileged access for administrators. Enterprises that are facing a massive and (usually) forced review of the access management environment due to a merger or acquisition event would benefit from a solution of this nature. Typically, such organizations would require an access management solution that supports key processes such as provisioning, certification, and access request management at a level abstracted from individual applications and technologies.166 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • SOLUTION OVERVIEWThe Hitachi IAM portfolio comprises two broad categories of solution, namely the user provisioning andaccess management tools, and the password management tools. Figure 1 provides an illustration ofhow Hitachi-ID’s solutions work. Internet User Password Internal Synch User Trigger Firewall Systems Target Systems Reverse with local agent: Web Proxy OS/390, Unix, older RSA Hitachi ID Firewall Application Target Systems Server(s) with remote agent: AD, SQL, SAP, Notes, etc. Load IVR Server Balancer Target Systems Firewall SMTP or Notes Mail Helpdesk Ticketing System Authoritative Firewall System of Hitachi ID TCP/IP + AES Record Proxy Server(s) Various Protocols (optional) Secure Native ProtocolFigure 1: Hitachi-ID Managementsuite network architecture Source: Hitachi-ID Identity Manager – this is the core identity management product. It manages profiles (the record of a user and their access rights entitlements) and propagates these entitlements and any changes to the components handling provisioning and access management for the target applications. Other important aspects of identity management, such as automating requests for changes to entitlements and access rights reporting, are also handled by Identity Manager. Identity Manager uses the organization structure diagram to refer access requests to the appropriate business manager, rather than directing them to the IT administrator. Identity Manager also provides compliance-oriented features such as enforcing segregation of duties rules for both business users and privileged user accounts. Access Certifier – this product periodically reviews the access rights of all users, and invites application owners, group owners, and managers to flag inappropriate privileges for de-activation. Password Manager – synchronizes passwords so that a user has the same password for most of the corporate applications and systems (generally without agents installed on the target application). It combines the password rules from all platforms to ensure that the chosen password satisfies them all. Hitachi-ID can connect to most common enterprise applications, operating systems and network resources. Changes to any one password can trigger a password synchronization task across all systems, The Password Manager module also offers self-service management of other credentials for authentication, such as pre-defined “challenge-response” questions, hardware OTP tokens, smart cards, biometric samples (principally voice prints), and PKI certificates. The module also provides self-service password resets and enforces regular password changes through email reminders and by blocking access to applications until the password is changed. CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO 167
  • Group Manager – enables self service management and more efficient usage of AD groups. All groups defined within the AD can be modeled with the Group Manager module and the group managers are defined for each group. Group membership requests, which are typically made when the user is trying to access shared network folders, are routed through this module to the AD group owners to review and approve or reject. The Group Manager module is aimed primarily at reducing the system administrator’s workload by resolving requests in the business context. Privileged Password Manager – Hitachi-ID eliminates the need for individuals to know the passwords to privileged accounts on systems and applications. Instead, passwords to privileged IDs are randomized frequently (for example, every day) and stored in an encrypted and replicated secure vault. People and software agents have to log in to the managed through Privileged Password Manager to get connected with administrator rights. Privileged Password Manager will normally require them to log into it, providing strong authentication. Users can be given continuous administrator access, or on a once-only basis. Today, Hitachi-ID logs the occurrence of all privileged sessions but not what is done in each session. The next release will include video recordings of these sessions. Login Manager – a program installed on the user’s desktop that auto-populates dialogue boxes and forms with login IDs and passwords. The Login Manager captures the network login and password at the start of a user session so that they can be used to log in to other platforms and applications during the session. This results in fewer login ids and passwords for the user to type. Org Manager – this module is used to build an organizational chart, with supervisors updating the list of their direct reports. Dotted line relationships can be documented for horizontal reporting relationships, but these are not used by the tool. Identity Manager can use these data to determine who needs to authorize an access request. Access Certifier can use it to assign the task of reviewing user access rights. All Hitachi-ID products can use these data to route change requests for authorization and to escalate requests from non-responsive approvers to their managers. . Telephone Password Manager – addresses a common problem that adds considerably to the helpdesk team’s and IT administrator’s workload. Users who forget their passwords can reset them through a telephony-based interactive voice response (IVR) process. The IVR workflow can authenticate users using questions and answers captured at the time of enrollment, voice print authentication, or a hardware token. A password reset executed through Telephone Password Manager is processed by Password Manager, changing the password on one or more applications. SOLUTION ANALYSIS Enterprise and web SSO The Hitachi-ID portfolio includes enterprise SSO (using Login Manager) but not web SSO functionality. Instead, it provides a single password to multiple applications through a password synchronization mechanism. The password to the user’s desktop is set as the password for all the applications the user needs to access that are integrated with Hitachi-ID. A password change for any of the applications triggers a password change for all other components. Applications have varying password rules in terms of complexity and size. Hitachi-ID requires the user to give a new password that complies with all of these rules. User provisioning and role management A variety of automated and approval-driven user provisioning mechanisms is provided. Hitachi-ID relies more on user-requested and supervisor-requested user approaches rather than on formal roles. The Identity Manager module is the core solution for user provisioning. The module monitors changes to system records that relate to target applications, and when a change relevant to the user’s role and entitlement is detected, the information is routed to the target system, triggering an entitlement change. Such a change may also trigger an approval workflow, possibly subjected to segregation of duties policy compliance. Provisioning access to users, changing entitlements and de-provisioning are all supported through workflows, and requests can be initiated by the users themselves or by supervisors (or others in positions of authority). The request workflow systems support approval by consensus and escalation procedures.168 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Hitachi-ID sticks to its characteristic bottom-up focus on role definitions. The Hitachi-ID Org Managercan extract role information (reporting relationships) from existing directories and enterpriseapplications, and it enriches and updates this by sending out invitations to managers to update the listof their direct reports. The manager can identify employees who have left the organization and notifychanges in the reporting structure.Password managementThe password management capability comprises password synchronization, enforcement of passwordlength and complexity, password history management (regarding rules for re-use), enforcement ofexpiration rules (there are about 50 such rules), and self-service password resets. This can be donefrom a web browser, from the desktop login screen, or using the telephone with an IVR application. Theself-service password reset process can use strong authentication techniques such as hardwaretokens, biometric authentication and challenge-response, using questions and answers defined at thetime of enrollment. This question/answer system can accommodate inexact matches, down to the levelof “sounds like”. In addition to self-service password resets, Hitachi-ID, through its integration withhelpdesk applications, eases the process of creating a helpdesk ticket, resetting the password, andclosing the helpdesk ticket.An important aspect of password synchronization is the reconciliation of login IDs. Reconciliationinvolves associating multiple login IDs with a single network login ID, and associating this login ID witha single individual. This is accomplished through a combination of directory look-ups to find login IDsassociated with a user and the client software Login Manager listening in for additional logins. Inaddition, a question and answer system configured at the time of enrollment, and validated at the timeof password resets, helps connect a login ID with an individual defined in an organization chart. Thishelps address the confusion that arises between employees with the same name.As mentioned earlier in this report, the portfolio also comprises privileged password management.Access controlTwo important capabilities merit special mention; namely, access certification workflow and networkresource access management. The access certification feature enforces regular reviews of user accessrights by application owners, supervisors and group owners. The network resource accessmanagement feature allows client organizations to model AD groups and assign owners to thesegroups. When users request access to shared folders, network drives and email distribution lists, therequest is automatically routed to the group owner, taking a major part of group management off theservice desk team’s plate. In operational terms, when a user requests access to a network resourceand receives an “access denied” message, the user is prompted with information about which grouphas access to the resource. The user can then request that they be made a member of the group.MaturityThe Hitachi-ID unit and the tools in its portfolio have a long history. The unit was founded in 1992, andthe company has an installed base of 800 client organizations and 10 million licensed users. Thecompany counts some of the largest companies in the world, such as AT&T, as its clients, and has someof the largest IAM deployment sites. The Identity Manager solution has 3.5 million lines of code and theManagement Suite is currently on version 6.1.2.Integration and interoperabilityThe Hitachi-ID suite integrates with an impressive series of enterprise applications, operating systems,directories, messaging systems, server platforms and service desk/helpdesk systems. Some of thesesolutions are AD and eDirectory (and any other LDAP directory), Linux, Solaris, HP-UX and IBMproducts, ranging from Resource Access Control Facility (RACF) and AIX to Lotus Notes, Oracledatabases and applications, PeopleSoft, SAP R/3 and Business Objects, and MS Exchange. Hitachi-IDcan work with an unknown application, such as a homegrown application using custom scriptsdeveloped using an included scripting program. There are a number of approaches for providingcustom integrations (Hitachi-ID provides custom integration at fixed prices) including APIs (J2EE, .NET,COM, ActiveX, MQ Series), terminal emulation, web services, command line and Structured QueryLanguage (SQL) injections. CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO 169
  • PRODUCT STRATEGY Hitachi’s target market is not limited to particular vertical sectors. The Hitachi-ID portfolio is aimed at companies with over 10,000 employees, and the installed base ranges from 300 to 350,000 internal users and up to 10 million external users. Client organizations are typically companies in the Fortune 2000 range and non-profit and government agencies of a similar scale. In terms of the geographical distribution of clients, North America accounts for 80% of the installed base, while Europe and the rest of the world account for 15% and 5%, respectively. Hitachi has a direct presence in the US market, while in other geographies, the company works through partners. The company targets global organizations through its managed services provider (MSP) partners. For all market segments, Hitachi partners with systems integrators as well. The list of MSP and systems integration (SI) partners includes CSC, Capgemini, CompuCom, Dell, HP Enterprise Services (formerly EDS), Hitachi JoHo (Japan), IBM Global Services, Northrop Grumman, Perot Systems, Siemens Business Services, T-Systems, Wipro, and Xerox. Hitachi-ID has 43 consultants of its own around the world, while it also works with Hitachi Consulting, and partners with KPMG. Hitachi-ID products are licensed by a number of users (but not named users), and the Privileged Password Manager is licensed by the number of administrator IDs. In terms of average deal sizes, the following list shows a few representative deals: Password Manager – 10,000 users; $140,000 in deal size; 85% license, 15% services; password synchronization, assisted lockouts, and mobile users. Password Manager and Identity Manager – 10,000 users; $500,000 in project value; 55% license and 45% services; auto-on boarding and deactivation, self-service user profile updates and access change requests. Privileged Password Manager – 3,000 managed IDs; $75,000 in project value; 50% license and 50% services. Support is priced at 20% of the licensing costs, and the maintenance package includes 17 hours per day (3am to 8pm, Eastern Time) and five days a week technical support via email, phone and VPN. Upgrades are bundled into the support package. In addition, client organizations can get access to 24/7 emergency support for an extra 5% of licensing costs. The release cycle comprises a maintenance release every one to three months, a minor upgrade (such as a graphical user interface (GUI) change) every six to eight months, and a major release every 18 to 24 months. Hitachi-ID believes that growth will be driven by new technologies and trends (such as full disk encryption, smart cards and mobile workers) that are likely to increase the volume of password management issues. The company reports that privileged password management has been a growth area in the recent past, with every major customer implementing the technology. The Hitachi-ID roadmap is comprehensive, and a number of interesting features are in the pipeline. The list of medium- and long-term development plans includes a workflow to create new and delete unnecessary groups, periodic certification of role definitions, a workflow that asks managers to identify clusters of direct reports who perform a similar job function, and the ability to add attributes such as risk scores to target applications. Major improvements are also on the cards for the privileged password management module, such as full session recording (currently only the entry and exit time are recorded). Hitachi is working to bolster its role management capability, and enhance its password management module. IMPLEMENTATION As would be expected for an identity management suite, implementation requires significant resources, but Hitachi has simplified the task; for example, by removing the requirement for a comprehensive role model. The following list details a few representative implementation cases and their resource requirements: Password Manager to reset and synchronize passwords across 10 systems for 50,000 users: 20 billable days and eight weeks of elapsed time, 0.5 resources for one to two months, and 0.25 ongoing.170 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Identity Manager to auto-provision and auto-deactivate users on AD, Exchange, RACF and one or two enterprise applications, based on an HR data feed across 100 locations, 50 departments and 50,000 users: 60 billable days, 16 weeks of elapsed time, and one resource for six months, and 0.5 ongoing. Privileged Password Manager to randomize and control disclosure of privileged passwords across 1,000 Unix, Linux, Windows and Oracle servers and 10,000 workstations: 20 billable days and six weeks of elapsed time; one resource for three months, and 0.5 resource ongoing. Group Manager to push management of membership in AD groups out of the realm of IT support and into the self-service regime across one global AD domain, 10,000 users, 5,000 groups, 500 file servers, and 2,000 shares: 15 billable days and four weeks of elapsed time, one resource for between one and two months, and 0.25 ongoing. Access Certifier to invite managers to periodically review a list of their subordinates and their access rights, and flag old entitlements for cleanup across one AD domain, one SAP production system and one RACF production system. No roles were defined, organizational chart data were available but incomplete and inaccurate; 10,000 users/1,000 managers: 60 billable days and 20 weeks of elapsed time; one resource for six months, and 0.75 ongoingHitachi-ID runs on Windows Server 2003 and 2008. The products in the Hitachi-ID portfolio integratewith a wide range of systems and applications. CA SiteMinder, IBM Tivoli IAM, Oracle AM, RSA AccessManager in the web SSO category, SAP, Oracle and Business Objects in the enterprise applicationsand business intelligence category, and z/OS and iSeries are some of the applications and platformsthat have not already been mentioned in this Technology Audit.DEPLOYMENT EXAMPLESATCOATCO (a construction and industrial conglomerate) deployed Hitachi-ID products for auto-provisioning,auto-deprovisioning, security group management, entitlement cleanup, password synchronization andpassword resets for about 11,000 users. The project spanned multiple phases beginning with passwordmanagement, and moved onto a staged implementation of consolidated security administration,automation for on-boarding and deactivating users, and a self-service workflow for profile updates andentitlement change requests. The entire project took about a year.Wells FargoWells Fargo bank implemented self-service password resets and routine password management forabout 350,000 users, involving access to AD, many target applications, and login screens. The projecttook less than three months, and according to Hitachi-ID, reduced IT support costs by $4m.IntelIntel implemented privileged password management for 3,000 production systems (Windows, Linux,VMware and SQL). The project took two to three weeks and the client organization successfullyimplemented automated access rights changes resulting from systems administrator staff turnover.Hitachi-ID Systems, Inc.500, 1401 – 1st Street SECalgary, AlbertaCanada, T2G 2J3Tel: +1 (403) 233 0740Fax: +1 (972) 767 4404Email: www.hitachi-id.com CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO 171
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group IBM: IBM Tivoli Identity and Access Management Products WWW.OVUM.COM
  • TECHNOLOGY AUDITIBMIBM Tivoli Identity and Access Management ProductsCATALYSTIBM is a major player in the identity and access management (IAM) field, marketing its products underthe Tivoli brand. The products’ main strengths are their breadth of functionality and the close integrationof IBM security and service-management products. Going forward, users can be confident of supportfor extending IAM controls into the cloud. The products can be deployed individually or as a suite, butusers adopting all or most of the suite will benefit most. IBM applies some of the benefits of the robustmainframe environment to the open systems environment. The products benefit from IBM’s strongposition in the system-management domain. There is close integration of IBM’s security products across IAM, security information and event monitoring (SIEM), and DLP domains. Mainframe users are supported with an integrated suite of products.KEY FINDINGS Strengths: Strong compliance-reporting features. A broad suite of products providing comprehensive functionality. Closed feedback loop for monitoring and acting on access and policy usage. Weaknesses: IBM is still in the process of integrating some of its acquisitions. Key Facts: i Supports a wide range of standards. i Policies can be tested using “what-if” simulation exercises across all products.OVUM VIEWThrough its Tivoli division, IBM has a long presence in the identity management sector, and has equallywell-established credentials in systems management. More recently, IBM has acquired several ITsecurity vendors, including ISS, and specialist vendors, such as Consul Risk Management, Watchfire,Encentuate, Ounce Labs, Guardium and BigFix. IBM therefore has an impressive range of securitytechnologies and managed services to match its historical strengths in security consulting. In its high-level vision, it has been able to address the inherent synergy between security management, systemsmanagement, governance and compliance in a way that the more specialist vendors have not.However, this level of integration is not always evident at the product-implementation level.Within the IAM sector, IBM provides comprehensive functionality addressing all the “bases” across themap of required functionality. The global enterprise trend towards the rationalization of IT suppliersworks to the advantage of the large IT infrastructure vendors. IBM is the most prominent player inenterprise IT and has the most to gain from this rationalization. It has assembled a range of productsacross the security range of products to put it in a position to benefit from this movement. CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 175
  • Recommendations Organizations with heterogeneous computing platforms, including mainframes – the breadth of capabilities and functionality in the IBM suite of products make it an attractive and natural choice for these organizations. Organizations that have a strategic vision for integrated IAM – these organizations will find IBM’s strategic Service Management Platform approach helpful for meeting security and IT governance objectives. Other organizations with more than 500 employees – the choice of identity management suite is not so clear-cut for this group of organizations, and they should examine the detailed functions and features of the candidate products. Ease of deployment should take precedence over the product price, because identity and access management systems need to be configured to their operating environment and integrated with the business applications they control. IBM Tivoli Identity Manager, IBM Tivoli Federated Identity Manager Business Gateway, and IBM Tivoli Access Manager for ESSO are suitable choices for the SME sector. SOLUTION OVERVIEW IBM places IAM within its IBM Security Framework, which itself forms part of the IBM Service Management Platform that addresses the need for visibility, control, and automation across enterprise IT platforms. It addresses security governance, risk management and compliance across the realms of people, information, applications, processes, IT infrastructure and physical infrastructure. Within this overall scope, identity management addresses requirements relating to people and identity, as well as applications and processes. IBM has simplified its portfolio to deliver integrated capabilities, as described in the IBM Security Framework, into consumable packages or bundles. The IBM Security Framework, along with the IBM security products and packages, are shown in Figure 1. One of the key bundles is the Identity and Access Assurance bundle, which contains the foundational IAM products to help on-board and off-board users. IBM Security Solutions Packages Include Identity Manager Directory Server IBM Security Framework Identity Directory Integrator SECURITY GOVERNANCE, RISK and Federated Identity Manager MANAGEMENT AND COMPLIANCE Access Access Manager for eBusiness Access Manager for Enterprise SSO PEOPLE AND IDENTITY Assurance Access Manager for Operating Systems Security Information and Event Manager DATA AND INFORMATION APPLICATION AND PROCESS Security Policy Manager Data and Key Lifecycle Manager NETWORK, SERVER & END POINT Application Access Manager for Operating Systems Security Federated Identity Manager PHYSICAL INFRASTRUCTURE Security Information and Event Manager Common Policy, Event Handling and Reporting Professional Managed Hardware Security zSecure Admin Services Services & Software zSecure Audit Management zSecure Command Verifier for z/OS Security Info. & Event Manager for z/OS Auditing Figure 1: IBM Security Framework and products Source: IBM176 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • IBM’s Identity and Access Management Governance portfolio (see Figure 2) provides policy-drivengovernance to streamline and strengthen security for the foundational IBM IAM capabilities. Itcomprises: Planning the policy and role-modeling framework – this provides tools for role-modeling and management, and the support of policy design. Tracking – this involves the monitoring of user activity. IBM Tivoli Security Information and Event Manager provides unified reporting and auditing, feedback about policies and roles, and compliance reporting. Enforcing through identity, access and entitlement management – IBM Tivoli Identity Manager, IBM Tivoli Privileged Identity Manager Service, IBM Tivoli Access Manager for e-business and IBM Tivoli Security Policy Manager provide access certification, remediation of user access rights, privileged identity management, coarse-grained access and fine-grained, context-based, entitlement enforcement. IBM’s IAM Governance Portfolio in 2010 Planning Policy and Role Modeling Role Modeling Assistant Policy Design Tool Policy Enforcing Driven Governance Identity Management IBM Tivoli Identity Manager Process IBM Tivoli Privileged Identity Tracking Integration Manager Service User Activity Monitoring IBM Tivoli Security Information Access & Entitlement and Event Manager Management IBM Tivoli Security Policy Manager IBM Tivoli Access Manager for eBusiness IBM Tivoli Federated Identity ManagerFigure 2: IBM’s IAM GovernancePortfolio Source: IBMThese products and services are supported by some foundation products, so the IAM suite is largerthan the components shown in Figure 2.The main products in the IAM area are: IBM Tivoli Directory Server (TDS), a scalable, standards-based identity data repository that interoperates with a broad range of operating systems and applications. This directory server is included within IBM IAM solutions to support large scale deployments. IBM Tivoli Directory Integrator (TDI), which can serve as a meta-directory or data-integration tool, synchronizing or transforming identity information and other security information in real time across relevant organizational sources. This directory integrator solution is included within IBM’s IAM solutions to support integration in a heterogeneous IT environment. CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 177
  • IBM Tivoli Identity Manager (TIM), which provides identity management and provisioning relating to many types of logical assets (for example, databases and applications), network infrastructure (for example, Cisco ACS), and access-control systems, including those that are card-operated for building access. It enables integration with a broad range of heterogeneous systems across multiple types of platform. TIM has been improved with usability and interface enhancements to help with rapid deployment and operation, making the solution more accessible and adoptable by the SME market. IBM Tivoli Access Manager for Operating Systems (TAMOS) handles authentication and authorization and controls administrator (root user) access to Linux and Unix systems. IBM Tivoli Access Manager for Enterprise Single Sign-On (TAMESSO) provides desktop SSO for enterprise applications (usually termed Enterprise SSO), built-in integration with numerous strong authentication form factors, and many common applications (as well as extensibility to further applications via a drag and drop visual profiling interface), and session management for shared desktops. IBM Tivoli Access Manager for e-business (TAMeb), which provides a reverse-proxy-based authentication and authorization hub manages, and enforces user access to applications hosted on the web. It is primarily focused on web-based applications SSO and provides out-of-the-box integration for Web 2.0 applications and web services. It can be implemented in varying forms, from simple web SSO to more complex application security infrastructure deployments. IBM Tivoli Federated Identity Manager (TFIM) provides the framework to support standards-based, federated identity interactions between partners, with capabilities in the areas of federated web SSO, web services security management, and federated provisioning. It comes with TAMeb for full- featured, standards-based web access management systems, and has been enhanced with more support for user-centric federation deployments using SAML and OpenID attributes. It is designed to simplify trust-based identity integration across Java, .NET, and mainframe applications and services. IBM Tivoli Federated Identity Manager Business Gateway (TFIM BG), which provides federated access SSO using SAML protocols. It integrates with existing on-premise application and web access management systems to control access to cloud software as a service (SaaS) and third party external applications. IBM Tivoli Privileged Identity Management service, which handles the lifecycle management of shared accounts and SSO for privileged IDs across systems and applications. It is a service based on TIM and TAMESSO. It ties administrator accounts to pools of authorized users, and provides SSO with the administrator credentials into the user session when the user needs to access privileged resources, while enforcing check in and check out of these credentials to maintain individual accountability. IBM Tivoli Security Policy Manager (TSPM), which provides entitlements and message security policy management for composite applications and services, centrally managed roles relating to applications, message protection policies and data-level access entitlements. It comes with security run-time services for standards-based policy decision integration with the existing IT and application environment, and provides out-of-the-box policy enforcement integration for WebSphere Portal, Microsoft SharePoint, WebSphere, Application Server, .NET, Filenet, and DB2 applications. IBM Tivoli Security Information and Event Manager (TSIEM), which provides the reporting and auditing capabilities relating to the operation of the identity management infrastructure. TSIEM closes the loop for IAM by monitoring the usage of the configured policies, identifying violations for remediation, and reporting for compliance purposes. IBM Tivoli zSecure Suite, which delivers audit and administrative capabilities for mainframe security, including management of user credentials, access rights, monitoring and compliance. It is also a foundation of IBM’s Enterprise Security Hub and integrates with mainframe security protocols such as RACF, and with the mainframe editions of other IBM security products such as TIM for z/OS and TFIM for z/OS.178 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Tivoli offers mainframe versions of several IAM products. These are TIM, TAMeb, TFIM running onzLinux, TIM for z/OS, TFIM for z/OS, TDS for z/OS and TDI for z/OS. Tivoli zSecure Admin enhancesuser management in the mainframe domain, including z/OS, z/VM and Unix System Services.SOLUTION ANALYSISAuthenticationThe Tivoli suite provides comprehensive coverage for strong authentication. Web authentication ishandled by TAMeb and TFIM, while desktop authentication is handled by TAMESSO.TAMeb provides facilities to allow multiple levels and custom authentication mechanisms to be addedto those it already supports. Authentication assertions can be communicated over hypertext transferprotocol (HTTP), which makes it easier for organizations to integrate with external authenticationservices. A limited-use license for TDI is included with TAMeb, providing options such as directory-chaining for user authentication. A session management facility enables user sessions to be trackedacross enforcement points. This provides administrative benefits, such as a single point from which toreport on and manage user sessions, and the easier enablement of policy enforcement, which traversesany routes the user might have taken to access resources.TAMESSO supports smart cards, biometrics, and passive and active RFID cards. An interface for openauthentication devices simplifies integration with other authentication devices that may not besupported out of the box.Enterprise and web SSOThe IBM Tivoli Unified Single Sign On solution addresses the access needs of enterprises inside,outside and between organizations. It comprises three parts: Enterprise SSO performed by TAMESSO. Web SSO performed by TAMeb. Federated SSO performed by TFIM.IBM’s enterprise SSO capability is based on its acquisition of Encentuate in March 2008. It providesconnections to common enterprise applications. There is also a help wizard with a drag-and-drop userinterface to auto-generate SSO support for other enterprise applications. It can be integrated withseveral strong authentication products. It provides centralized auditing and reporting of user access tothe applications under its control across the enterprise.TAMeb provides a single view of user access across a broad set of business applications, ranging fromemail to enterprise resource planning (ERP) systems. It seamlessly integrates into a Microsoft .NETinfrastructure and works with AD. It minimizes the changes to the .NET applications that are requiredto allow them to participate in web SSO. There is some anti-fraud support provided in the browser tosupport web application security. A bundling with Tivoli Common Reporting provides built-in reportauthoring, report distribution and report scheduling capabilities. It also offers configurable admindomains, improved session management services and support for non-standard IP load-balancers.TFIM extends TAMeb to support federation standards such as SAML to easily federate access to othercompatible systems. The chapter on FIM gives more detail about this product.User provisioningIBM TIM provides a group management capability to streamline user administration, as well as a role-hierarchy model to simplify user provisioning and improve the visibility of user access permissions thathave been granted. Operational role management is now a fundamental embedded capability in TIM.An individual can have multiple roles, users can inherit roles and they can be given ad hoc additionalprivileges outside of the role structure. TIM can prevent and detect conflicts between role andpermission allocations. Roles can be imported from a directory. TIM’s access certification capabilityallows organizations to automate the periodic recertification of user, account, and role access to complywith policy. CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 179
  • IBM’s Role Modeling Assistant tool is provided to assist in the building of roles. It works in both top-down and bottom-up modes. The bottom-up mechanism imports existing identity, role and entitlement data, while the top-down mechanism imports interview data. These are analyzed and compared to produce a set of roles for approval, editing and certification. The final definitions can then be exported into TIM. Password management TIM provides self-service capabilities for password resetting and synchronization across platforms and applications. TAMESSO also handles password management from the desktop and integrates seamlessly with TIM. FIM TFIM has been improved to make it more user-centric. A large number of users can be enrolled into the TAMeb LDAP using FIM, from which they can be authenticated to all the applications they need to access. FIM also gives users a choice of identity selectors, such as the Higgins Framework and Microsoft CardSpace, to support user-asserted identity, instead of the traditional enterprise issued identities. It supports both SAML and OpenID attributes, and works with all generations of SAML, Kerberos, and RACF PassTicket tokens. It is designed to integrate with Java, .NET and mainframe applications. The Kerberos token module extends integration into the .NET environment. It reports into Tivoli Compliance Insight Manager. IBM’s federation mechanism also gives access to internal and external services including SaaS, platform as a service (PaaS) and infrastructure as a service (IaaS) cloud services. It can supply these services with SAML tokens, OpenID user IDs, and passwords as required. Privileged identity management The Tivoli Privileged Identity Management solution comprises TIM and TAMESSO. TIM provides the lifecycle management of shared and privileged IDs, from provisioning, through access request and approval workflow support to access recertification and de-provisioning. TAMESSO facilitates administrators who need access to a system with shared or privileged IDs by automatically checking out a shared ID, providing single sign on, and automatically checking in the ID for reuse on application log out. This automatic check in and check out not only simplifies usage and automates compliance, but also improves security as the administrators no longer need to know the passwords to these privileged IDs. Administration and policy management TSIEM monitors user activity via a dashboard view including privileged user activity on databases, applications, servers and mainframes. TSIEM manages logs to produce compliance reports and issue alerts about possible policy violations. It can collect information from thousands of event sources and is now available on a Windows 64-bit platform to enhance its scalability. Its interface is available in Chinese, Japanese, Korean, French, German, Italian, Spanish, Polish, Hungarian, Russian and English. TAMeb, TAMOS and TFIM provide common administration management that allows authentication policies to be defined and administered in a delegated hierarchical fashion. It provides out-of-the-box integration for enterprise applications, Web 2.0 and web services use. It works across data centers. TSPM provides a centralized security policy management interface to author and transform security policies for message security and fine-grained entitlements. It deals with policies formulated in business terms, such as specifying a manager’s authorization limit for transactions without the need to involve IT professionals, or use business services carrying personally identifiable information that needs to be encrypted and signed. These security policies are expressed using roles, rules and attributes that a business understands before being transformed into effective policies and communicated with the enforcement points using Extensible Access Control Markup Language (XACML) and WS- SecurityPolicy. It provides out-of-the-box policy enforcement integration with WebSphere Portal, Microsoft SharePoint, WebSphere Application Server, .NET, Filenet, and DB2 applications. It also enables SOA governance with integration into WebSphere Service Repository, WebSphere DataPower SOA Appliances, WebSphere Message Broker, and third-party enterprise service buses (ESBs).180 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • A standalone Eclipse-based policy design tool is offered to help application architects modelentitlements using roles and simulate ‘what if’ scenarios, including checking for potential “separation ofduties” violations, before creating policy templates for use in deployment.IBM TIM provides reports of user access rights to assist with auditing.TSIEM monitors for privileged-user activity. The combination of SIEM with IAM provides visibility,auditor-centered reporting and a closed-loop compliance lifecycle.PRODUCT STRATEGYIAM is an integral part of IBM’s governance and security product set. In particular, it allows webapplication security, XML security, network security and the DLP product to discriminate betweendifferent users with different information access rights. It uses the SIEM products to provide audit andalerting requirements.Identity and access management products are typically used by larger organizations. However, IBMtakes its products to companies in the 500–1,000 employees range, with its improvements in usabilityand ease of deployment. It offers bundles of IAM and related products, including companies at thesmaller end of the spectrum.IBM has more than 4,000 IAM customers and some robust service capabilities.IMPLEMENTATIONTDS is built on the DB2 database engine to deliver high performance, but DB2 expertise is not requiredto deploy it. TDS is an Open Group LDAP v3 certified directory, and adheres to industry standards tomaximize application support. It has a number of features that increase administrator usability. Forexample, search results can be sorted and viewed as “pages”, and groups can be nested or “dynamic”,where changes in a defined variable can automatically update the group profile. TDI is for organizationsthat require integration of identity data from various repositories throughout the organization, and itincorporates virtual directory capabilities. TDI can implement very large complex integrations supportinghundreds of simultaneous synchronizations with enterprise-strength fault tolerance. The product has adevelopment environment in which a drag-and-drop GUI allows for the customer definition of integrationrequirements.In some customer deployments, TIM supports a user base of more than 1.5 million across thousandsof managed systems. TIM provides a wide range of identity management features, including: Web-based self-service interfaces with customizable look and feel for end users (for example, password reset and synchronization), which have been extended to include request and approval for users’ membership of roles. A role-based administration model for the delegation of administrative privileges, with preventive checks for the separation of duty violations and exceptions. A workflow engine for automated submission and approval of user requests. A provisioning engine to automate the implementation of administrative requests. Policy simulation allowing the modeling of security policy changes, including what-if scenarios, and the reporting of issues such as conflicting roles so that these can be resolved. Business-friendly revalidation (sometimes called access certification or attestation) of granular user access rights. Administration management features such as streamlined notification, bulk “to-do” items management, and task ownership and delegation. Broad out-of-the-box integration support for disparate applications and systems, and universal connectors for extending the management model to new and custom environments. Predefined reports on security policy, access rights, and audit events. CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 181
  • TIM is a J2EE application that provides an extensive range of APIs to provide extensibility and uses IBM standard middleware as a basis for scalability, performance, and reliability. TDI is used as the basis for adapters and connectors that manage user accounts on the systems managed by TIM. Most adapters operate either without remote management or are locally controlled, and all communication across platforms is secured using SSL protocols. Policies can be configured in TIM using a script based on JavaScript, and can be made subject to a preview of their impact. Drag-and-drop workflow definitions in TIM allow integration with other applications and workflow technology. IBM’s acquisition of Encentuate provided desktop SSO for enterprise applications, enabling the end- user experience to be simpler by eliminating the need to recall multiple usernames and passwords. It can also improve security by reducing poor end-user password behavior, and by providing easier adoption of strong authentication form factors such as smart cards or biometrics, for which it provides out-of-the-box integration. TAMeb manages web application security and enforces access control audit policy through enforcement points that can be placed as a reverse proxy in front of web applications, or through authorization and authentication plug-ins directly into a web server or application server environment. It can support over 100 million users and securing thousands of applications. It can also be used to control wired and wireless access based on identity to applications and data. It integrates with web applications and servers to provide seamless access to applications and data across the extended enterprise, and to transactions with citizens, partners, customers, suppliers and employees. The user’s browser-based request for a resource is dealt with by a resource manager component of TAMeb called WebSEAL, a reverse proxy that is resident on the web server and responsible for applying security policy to resources. This policy enforcer component directs the request to the authorization service for evaluation and, based on the result, allows or denies access to the protected resources. Access Manager authorization decisions are transferred using the TAM credential, which contains a user ID, its group memberships, and selected user attributes. The resource manager also integrates with security token services to implement standards-based identity integration into back-end applications. TFIM manages a large number of external users’ access to an organization’s portal and application assets using existing identities (such as username) and federated identity formats (such as OpenID and information card selectors, like Microsoft Windows CardSpace), without having to manage these identities within the organization. There is extended integration with Microsoft .NET environments through a Kerberos token module, and with mainframe environments through RACF PassTicket token- based access. It also provides implementations of the SAML, Liberty Identity Federation Framework (ID-FF), WS-Federation, WS-Provisioning, and WS-Trust specifications for federated SSO and web services identity mediation. A single TFIM deployment can act in different roles concurrently; for example, identity provider and service provider. In the web services security space, TFIM provides a secure token service (STS), as defined by the WS-Trust specification, as well as several modules for invoking the STS from IBM’s WebSphere Application Server, third-party ESBs and WebSphere DataPower SOA appliances. WS-Trust provides security token validation and mediation, user identity mapping, and partner key management services to web service endpoints that implement the WS- Security standard. The federated provisioning components of TFIM provide an implementation of the WS-Provisioning specification. TFIM is a J2EE application architected using a services model that runs on IBM’s WebSphere Application Server and also leverages TDS and Tivoli Access Manager for user authentication, session management and access enforcement. IBM’s Identity Management products use TSIEM as a common integration point for auditing and logging. TSIEM is also used in a similar way by other products to provide a broader audit and compliance perspective. Tivoli zSecure Suite is the centerpiece of a number of identity- and security-related capabilities that serve mainframe users. These include IBM Tivoli zSecure Admin and IBM Tivoli zSecure Visual, both of which enable complex mainframe security mechanisms to be administered more easily than by using native management systems. IBM provides editions of many of its identity management products that connect to the mainframe (TFIM, TDS and TDI can run on z/OS or zLinux, while TIM and TAMeb can run on zLinux), allowing central administrators to connect to the mainframe for routine enterprise-wide administration.182 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Customer implementations typically rely on a mix of home-grown expertise and services resources fromeither systems integrators or IBM. General knowledge of installing middleware, and expertise aroundsecurity or audit and compliance is helpful in tailoring implementations to specific needs.Implementation times vary widely because of the different types of environment and complexity levels,but solution deployments typically take a number of months. As policy definition takes up a significantportion of the time spent on deployment, customers with an already-defined security policy will usuallybenefit from reduced timescales for their implementation program.IBM offers training in various delivery formats on all of the products, as well as an extensive range ofonline resources such as datasheets, product documentation and Redbooks.DEPLOYMENT EXAMPLESPublic sector broadcasterA large public service broadcaster wanted to centralize its security management and services to replacea legacy identity management system and enable SOA. It adopted TSPM, TIM, TFIM (including TAMeb)and Tivoli Compliance Insight Manager. The out-of-the-box provisioning and access managementintegration support of the IBM products, along with standards-based support for SOA environments,were important factors in the customer’s decision.Global electrical equipment companyA worldwide electrical equipment company with 5,000 employees wanted to improve its user accessand authorization management to satisfy compliance requirements. It particularly wanted to deactivateaccess for former employees and for business partners that no longer worked for it. It deployed IBMIAM (managed identity service), Tivoli Unified Single Sign-on (comprising enterprise, web and federatedSSO) and TIM. This provided a bundled solution for SSO, federation and access provisioning. IBM’sservices support was crucial to its winning the deal, because it was able to offer a fully managedenvironment including design, implementation and ongoing management support. IBM charged a fixedmonthly amount for managing changing identity needs.Fortune 100 companyA Fortune 100 company operating in 30 countries with more than 7,000 systems and one million useraccounts was experiencing difficulty in maintaining its user access rights, particularly deactivating theaccounts of users whose employment had been terminated. It had thousands of “orphaned” serviceaccounts with no documented authorization, and had no centralized view of user entitlements. Its costswere high because it required 40 full-time equivalent staff to perform provisioning manually. It deployedIBM IAM (managed identity service) and TIM. This provided a centralized view and ongoing certificationof entitlement data, it eliminated orphaned accounts, and significantly decreased operational supportcosts for user provisioning and helpdesk calls relating to password resets.IBM North America IBM (United Kingdom) Ltd.590 Madison Avenue P.O. Box 41New York North HarbourNY 10022 Portsmouth, PO6 3AUUSA UKTel: +1 (800) 426 4968 Tel: +44 (0)1475 898073Email: askibm@vnet.ibm.com Email: ibm_crc@uk.ibm.comwww.ibm.com/tivoli CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 183
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group MICROSOFT: Microsoft Forefront Identity Manager 2010 and Associated Products WWW.OVUM.COM
  • TECHNOLOGY AUDITMicrosoftMicrosoft Forefront Identity Manager 2010 and AssociatedProductsCATALYSTMicrosoft is a mainstream competitor in the identity and access management (IAM) space. Microsofthas a distinctive profile, and has significantly enhanced its offerings under the Forefront brand withForefront Identity Manager (FIM) 2010 and its associated products, which build upon the foundationprovided by AD and Microsoft’s thought leadership in the conceptual area of online identity. The offeringis tightly integrated with key elements of the Microsoft infrastructure such as Outlook and SharePoint,allowing administrative work in areas such as user-group definition to be leveraged. With its portfolio ofIAM products, Microsoft has strong capabilities in areas such as integrating internal and externalidentities, and extending corporate identity infrastructure into cloud services and partner networks. Microsoft promotes identity management as an extension of the Windows and Office environment. The architecture of the suite is unique. While most of the expected identity management functionality exists within the Microsoft portfolio, it is not where users who are familiar with competing products would expect to find it.KEY FINDINGS Strengths: Microsoft’s view of identity management embraces services on the Internet. Many components of the portfolio are available through ubiquitous Microsoft products such as Windows, Office, .NET, AD or Office. Microsoft supports application developers in delivering access management. Weaknesses: This offering requires an environment that is predominantly built on Microsoft products. Key Facts: i Microsoft now embraces all major standards in IAM.OVUM VIEWWhile no identity management system deployment can be categorized as cheap or easy, organizationsthat are Windows-centric will find FIM 2010 and its associated products to be an attractive option.Microsoft’s approach builds on tools that the organization already uses and configuration data that existin the corporate AD. The recent advances in FIM show Microsoft’s commitment to identity management,while its moves to embrace industry standards and its visionary work on the Identity Ecosystem showthat it has awareness of wider business needs beyond the Microsoft ecosystem.CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS 187
  • Recommendations Organizations with a commitment to Microsoft in the data center will find the company’s offerings a natural progression into IAM. Organizations that have concerns about maintaining strong access controls as they move into the cloud will be reassured by the level of investment that Microsoft has made in meeting this requirement. Organizations that need to enroll large numbers of external (non-employee) users into their IAM system will find that Microsoft’s perspective resonates with their requirements. SOLUTION OVERVIEW Microsoft offers integrated identity management across heterogeneous systems and groups, including IT professionals, end users and developers. Its offering is characterized by its deep integration with familiar Microsoft products; for example, it uses AD as its foundation, and provides user-self-service capabilities through the Office and SharePoint interfaces. It also uses workflow that is embedded in existing products such as the Outlook client. Microsoft’s complete IAM offering is delivered through the following products and services: Forefront Identity Manager (FIM) 2010. Windows Server AD Federation Services (AD FS) 2.0 Windows Identity Foundation (on .NET 3.5). Windows Azure AppFabric Access Control 1.0. Forefront Unified Access Gateway (UAG) 2010. Windows Server AD Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS) 2008 R2. Windows Server AD Certificate Services. CardSpace 1.0. Microsoft’s approach to identity management is built on the concepts of its Identity Metasystem, which is formulated to provide an “identity layer” that is missing from the Internet. “Claims” are transmitted as digitally signed tokens, conveying one or more of the subject’s identifiable attributes, asserted by the person or organization that has signed the token. When logging in to a business system, the required claims would typically be the name and affiliation of the user. The tokens could use the Kerberos or SAML formats, which are transmitted using the WS-* protocols. The relationship between the components is shown in the architecture diagram in Figure 1. Windows Server AD provides the Identity Management Platform, which enables the integration of the various aspects of IAM. FIM provides a web service API and facilities for delegation, workflow and connectors. It lets users create workflows that model business processes, and then attach them to requests. A compliance auditor can use this workflow as documentation of the approval process. Workflows that are built on Windows Workflow Foundation can be used in FIM. New activities, including approval and notification, can be defined on Windows Workflow Foundation within Microsoft Visual Studio. The FIM API also provides extensible activities, workflow and schema. FIM can be accessed through several clients, including an Internet portal and Outlook. Microsoft’s customers benefit from having an identity management infrastructure that reuses the familiar products and interfaces in their existing Windows and Office products. Kerberos can be used to synchronize identity information across environments, and also across partner organizations. The AD account is used directly for log-in to Windows computers, to authenticate sign-in to Microsoft applications, and to provide SSO to other platforms and applications that support Kerberos, certificates or LDAP bind for user authentication. FIM allows users to reset their passwords from a locked workstation through a self-service dialogue.188 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Microsoft has started to build a range of cloud identity infrastructure services and components. AzureAppFabric Access Control helps organizations to build federated authorization into their applicationsand services, without the complicated programming usually required to implement application controlbeyond corporate boundaries. The service provides applications with a front-end that performs theauthentication and claims transformation, and interacts with the application using the WS-Trust andOpen Authentication (OATH) protocols. The application then has only to process the claims in thesemessages.Figure 1: Microsoft Identity andthe Cloud Source: MicrosoftSOLUTION ANALYSISAuthentication technologyMicrosoft’s FIM manages the lifecycle of passwords and certificate-based credentials such as smartcards. It also distributes soft OTPs for credential enrollment.The company has also developed CardSpace, which as well as being a secure technology forauthenticating personal identity on the Internet, can also be used in the corporate identity managementfield. It is useful for providing access to the systems of partner organizations, and could be used foremployee access, particularly from remote locations. It allows users to assert claims relating to theiridentity that are backed-up by an identity provider with a recognized level of assurance. CardSpaceprovides the identity selector interface. In the corporate context, their employer could provide them withsuch an identity, which would by definition provide the same level of assurance as an internal identityin the corporate directory. In the same way that it could be used within the organization that issued it,the identity could be used to authenticate the user to a business partner. It is implemented as a .NETcomponent of the Windows client or Server operating systems, and is hardened against spoofing ortampering. The client’s user interface can also be secured with two-factor authentication if required.CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS 189
  • Enterprise and web SSO Active Directory Federation Services (ADFS) 2.0 provides easy access to applications both on-premise and in the cloud using a claims-based infrastructure. It provides an SSO experience for end-users looking to access applications in the enterprise, in the cloud, and in partner organizations. It is based on industry- standard protocols including WS-* and SAML, and enables heterogeneous applications to interoperate. ADFS federates with ADFS in other organizations, as well as with platforms from other vendors. User provisioning User provisioning is based on FIM Set management, which controls provisioning to connected Microsoft systems, as well as to third party systems. Groups are managed in AD (the authoritative corporate source of identity information) and visualized through Outlook and SharePoint. While FIM does not extend AD’s core functionality, it provides services to synchronize identities between AD and other identity sources, databases and systems, including those on non-Microsoft platforms. FIM can provision PKI certificates, and OTP systems. It works with Microsoft’s Certificate Authority and third-party CAs to deliver certificates for users. It can also issue soft OTPs for credential issuance. Password management FIM adheres to the password policy that is enforced by AD. It provides a self-service password reset facility based on personal information that the user chooses to provide for this purpose when they initially register with it (users select a range of personal questions that they want to use from a menu, and register the answers to these). Before resetting their password, the user has to supply correct answers to a subset of these questions that FIM selects at random. Access control UAG provides comprehensive and secure access to corporate resources for employees, partners and vendors, using both managed and unmanaged PCs and mobile devices. It connects devices to the corporate infrastructure using a range of protocols ranging from SSL VPN to Direct Access. UAG provides centralized management of the enterprise’s anywhere-access offering, using built-in configurations and policies. It monitors the “state of health” of the end-user devices and, using the identity of the end user and information about the application that they are trying to access, it is able to enforce granular access controls. Windows Identity Foundation is a component of .NET that provides the infrastructure for the identity and access control products. It is a developer framework for building claims-aware applications. Windows Server ADs underpin the operation of the products by maintaining policy and identity information. FIM AD FS 2.0 helps collaboration across organizations. It is fully integrated with AD authentication services and can use any information held in AD for the purposes of issuing tokens. Azure’s AppFabric Access Control service enables more flexible and extensible identity federation between services to be established. AD FS federates to both other AD FS and all the major third party environments. Administration and policy management FIM manages identity-based policies across Windows and heterogeneous environments. It provides self- service capabilities for Office end users, administrative tools and enhanced automation for IT professionals, and .NET- and WS-*-based extensibility for developers. Administrators can enforce adherence to centralized access management policies for applications. PRODUCT STRATEGY Microsoft is alert to the needs of organizations, and so is providing a unified approach across resources located in the enterprise and in the cloud. It is working to make it easier for organizations to move into the cloud and to use hybrid configurations. This strategy is based on its FIM technology. FIM can already provision and synchronize on-premise directories and cloud services, and Microsoft will expand this range of capabilities and add new cloud services following the model of Azure AppFabric Access Control.190 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Microsoft’s general long-term objectives are to empower business owners and information workers tobe the decision makers in the identity and access field, to advance capabilities for managing identityand access for hosted IT services and hybrid scenarios, and to support compliance and the need forend-to-end identity management. Microsoft is investing heavily in standards and interoperability.The products described in this report have replaced Microsoft’s Internet Access Gateway, IdentityLifecycle Manager, and earlier versions of products with the same names.MARKET OPPORTUNITYMicrosoft’s integration of enterprise and web access controls is consistent with its long-establishedculture of embracing the Internet, and places it in a good position for developing its identitymanagement market. It will also benefit as identity management adoption moves down into moremedium-sized businesses, where Microsoft is in a strong position.GO TO MARKET STRATEGYMicrosoft sells to all market sectors, to all types and sizes of organization, and in all geographic regions.It also uses all types of partner channel to reach its customers, and has educated, certified and trainedthousands of partners in using its Identity and Access (IDA) solutions. Microsoft works mainly throughvalue-added resellers to reach the smallest companies (those with less than 50 employees), while itsown direct sales organization focuses on the mid-market and enterprise sectors.FIM is most likely to be adopted by organizations with a strong process-oriented culture, with most FIMdeployments in organizations of at least 500 employees.Its primary global system integrator partners are Avanade, Accenture, HP (EDS), Wipro, Unisys, OxfordComputing, Quest, Globeteam, Securitay, and Microsoft Services.FIM deployments require a significant services input. This is in line with other IAM projects, asintegration between the business and the technology is the crucial requirement for success.The diversity of the Microsoft Identity Management portfolio’s component parts is reflected in theirdifferent sales models: FIM and Forefront UAG are sold with perpetual licenses on a “per user” and “per server” basis. AD FS and AD Domain Services and AD CS are part of Windows Server 2008. CardSpace is part of Windows Client. AppFabric Access Control, a software-as-a-service offering that is part of Azure, is sold by transaction. Windows Identity Foundation is part of .NET and is available as a free download.IMPLEMENTATIONFIM requires Windows Server 2008 on a 64-bit platform, SQL Server and .NET.Management agents and connectors link to remote systems on Linux, Unix and mainframe platforms,and APIs are provided for communication with application databases on these platforms. Microsoftprovides 19 of these agents out-of-the-box for Microsoft (such as Exchange or SQL Server) and non-Microsoft (such as Lotus, Oracle or SAP) environments, while its partners provide other connectors.These use various protocols, including LDAP. Where no other form of interconnection is possible, theconnectors simply export a text file. Partners such as Identity Forge provide connectors for RACF, ACF2and Top Secret mainframe services, which synchronize identities across platforms but do not shareauthentication or provide SSO.Microsoft is adopting a services-based approach to access control for external services. FIM currentlyworks with hosted SharePoint and hosted Exchange services, while ADFS and Live can federate toAzure. In future private clouds with Azure, clients and Microsoft applications will be covered, as it willbe able to communicate with other applications that support OATH and SAML protocols.CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS 191
  • The Azure AppFabric Access Control services can link to cloud services using non-Microsoft technology such as Amazon or the Gmail identity service. ADFS can also authenticate directly to Salesforce.com and other services, but has to be configured for each service individually. Organizations wanting more general integration with external services are better advised to use AppFabric Access Control Service, as this provides many-to-many integration. DEPLOYMENT EXAMPLES Microsoft IT Microsoft IT provides application development resources and technical support to Microsoft’s 90,000 employees worldwide. It promotes employee productivity and collaboration, while maintaining the highest level of information security. Microsoft IT has deployed FIM 2010 to streamline identity management, save costs, and improve user productivity. Microsoft IT is a large organization, with 208,000 user accounts, 472,000 security and distribution groups and 2,300 distinct corporate applications. It faces increasing requirements for system interoperability and compliance complexity, as well as pressure to be more efficient. Before moving to FIM 2010, it adopted a bespoke group management application to support centralized group policy authoring and provide limited self-service for group management. However, this was costly to maintain, and did not meet the needs of users. Microsoft wanted a better solution, as well as to remove the heavy workload of handling password reset requests manually. Microsoft IT had also deployed the company’s Identity Lifecycle Manager 2007 product from its inception, but decided to upgrade to FIM and extend its coverage to include the additional requirements it faced. It worked with the product development team for FIM 2010, specifying development priorities and enabling rigorous field testing of the product in a production environment. The joint target was to migrate 50,000 users and 75,000 groups to FIM 2010 by January 2010. During the transition process, while the old and new infrastructures were running in parallel, Microsoft IT used AD Domain Services to create separate organizational units for the two applications and to define a discrete set of permissions for each. This allowed employees to view groups in both applications, while applying changes to only one location. Employees are now able to reset their own passwords and provision their own smart cards, although Microsoft IT recognizes that it will not be able to handle all such requests automatically; for example, when an employee forgets their registered answers to the challenge- response questions. Microsoft IT is using the extensibility of FIM 2010 to customize it to Microsoft’s unique business rules. It has suggested the following guidelines to enterprises deploying the software: Define business rules and requirements before beginning the upgrade. Determine the best approach to migrating groups: phased or simultaneous. Start with a pilot deployment. Minimize re-synchronization of the rule base between new and old systems (if applicable) by configuring rule changes ahead of the deployment. Microsoft IT has experienced substantial savings and efficiency improvements due to the automated password reset capability, and simplified compliance reporting through the centralized policy-based management. It can now audit all identities, credentials and resources, along with business rules and events, from a centralized repository. Scott Wilson Scott Wilson is a global construction company that provides strategic consultancy and professional services. It is headquartered in the UK, but has 80 locations around the world and 6,000 employees. It wanted to unify its IT systems and make all of its key IT services available to employees through its intranet portal. While previously it had separate AD services for its UK and international operations, the company wanted to improve its user provisioning process.192 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Scott Wilson engaged the Oxford Computer Group, a Microsoft-Gold-certified partner, to handle theimplementation of Microsoft FIM 2010. It started by integrating the UK human resources and financesystems, the corporate portal and the two AD systems. This allowed users to be enrolled just once,instead of three times, and provided a single and accurate view of employee identities and access rightsacross the business. The next phase of the project is to introduce workflows to automate routineprovisioning and resource management tasks globally. Users will be able to set up accounts and resetpasswords themselves, saving money and giving faster access to services. The system will beintegrated with Microsoft Outlook 2010 to send an automated email message to a line manager so thatthey can authorize or reject provisioning requests with a single click. Scott Wilson is already benefittingfrom reduced help desk costs, and from reduced waiting times for employees needing access toresources.Microsoft Corporation Microsoft LimitedOne Microsoft Way Thames Valley ParkRedmond ReadingWA 98052-6399 RG6 1WGUSA UKTel: +1 (800) 642 7676 Tel: +44 (0)844 8002400Email: via Microsoft Support website Email: via Microsoft Support websitewww.microsoft.com www.microsoft.com/ukCHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS 193
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group NOVELL: Novell Identity Manager 4 Advanced Edition WWW.OVUM.COM
  • TECHNOLOGY AUDITNovellNovell Identity Manager 4 Advanced EditionCATALYSTGood people, effective processes and efficient performance are the core components required toachieve strong operational results. However, in isolation, they are not enough, and organizationsincreasingly require intelligent management systems to maintain control over who can access theirsystems and information resources across enterprise, virtual, and cloud-based environments. Effectiveidentity management is the key to organizing access, and solutions such as Novell Identity Manager 4Advanced Edition are needed to control enterprise access, reduce the risk of exposing sensitive data,and helping to maintain compliance. This is an enterprise-class identity and access management (IAM) product that has the scalability and high availability required to deal with large, complex and diverse operating environments. Novell’s approach of bringing together IAM and compliance to provide a foundation for enterprise IT governance, risk, and compliance (GRC) is a strategy that will find favor across most industry verticals. The requirement for organizations to manage identity and user access across physical, virtual, and cloud environments is fully addressed by Identity Manager 4.KEY FINDINGS Strengths: Allows organizations to be open and agile without compromising security or control. Integrates and automates secure access for customers, partners and employees. Maintains past and present visibility of people, their actions and company compliance. Weaknesses: The Advanced Edition separates sophisticated operational usage from the more basic Standard Edition demands, but does allow customers the right to be selective. Key Facts: i An enterprise solution that supports policy-driven access control to applications from data center operations to the cloud.OVUM VIEWThe latest release of Novell Identity Manager (r4) uses identity to deliver intelligent user authenticationand access control, user protection, and compliance across physical, virtual, and cloud environments.Intelligent, Cloud-ready and secure is the message that Novell is promoting. In Ovum’s opinion thefocus on delivering identity-management services that are able to operate across mixed environmentsis well timed, and bringing together IAM and enterprise compliance is a good strategy.The simplification of identity management is another key message that Novell is keen to promote. Itmakes the valid point that some of the company’s major competitors still struggle to deliver integratedSSO, provisioning and role management because of the disconnected nature of the IAM tools that theyhave acquired and have to work with. By contrast, Novell Identity Manager has been built as ahomegrown configuration-centric product that eliminates most external coding requirements. CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION 197
  • Included with the product set are tools such as Novell Designer, which allows customers to connect enterprise systems and configure workflows into the live environment using a business-focused drag- and-drop interface. The drag-and-drop approach also extends to provisioning and role-mapping for third-party roles and permissions to create a consolidated roles database. In the immediate future, the IAM sector is unlikely to get away from its perceived position of being over- complex and providing technology that organizations only deploy across areas of the business where cost and complexity overheads can be fully justified. Novell is working hard to reduce total cost, complexity, and management effort, and is succeeding on a number of levels. That notwithstanding, each new technology wave adds extra user protection requirements, and Novell’s enterprise-level product-development efforts will need to be sustained if it is to maintain its position. Recommendations Organizations that are looking to protect enterprise, virtual, and cloud operations would benefit from considering Novell’s cloud and enterprise-ready IAM offering. Novell IAM caters for all market sectors. Its products have particular relevance to highly regulated industries such as financial services and healthcare. These are also areas where the IAM need is likely to strengthen as stronger GRC requirements are introduced. For company size, Novell’s market is medium-to-large enterprise (5,000 or more employees). Smaller organizations in specific highly regulated industries can also benefit, but generally the SME sector is not a target. SOLUTION OVERVIEW Novell Identity Manager is an established and mature IAM product set. All major product components were built in-house by Novell developers and are fully integrated to the extent that the complete solution works seamlessly alongside enterprise business systems to protect user and operational access. Your Portal/ Customers/ Mobile Webtop Web Services/ Business CISO Compliance/ Employees Partners/ Developers and Custom Managers Auditor Contractors Consultants Key Functional Capabilities White Pages/ Business Approval Work- Role-based Advanced Role and Compliance Self-Service/ Resource flow User Mgmt/ Reporting Policy Content Pwd Mgmt Request Deleg Admin and Metrics Mapping Major Components Real-time Data RBAC Identity Work-flow Historical Open APIs Deployment Integrity Model Vault System Reporting and Mgmt Warehouse Tools Connectors Directories Help Desk Databases Credentialing Applications OS and Telephone and Cloud and SaaS File Systems Building Access Figure 1: Novell Identity Manager – A logical view of Novell’s event-based approach to IAM Source: Novell198 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Identity Manager 4 Advanced Edition supports all the core elements of identity management includingdirectory management, provisioning, role management, SSO, password management andauthentication. It also provides the opportunity to integrate with complementary Novell products suchas Novell Access Manager for web and enterprise access management and Novell Sentinel for SIEM,regulatory compliance, and analytical and audit-level reporting.What differentiates Novell from most of its competitors is its event-based architecture. Thisdifferentiation carries over into the latest Identity Manager 4 release, which is based on an event-drivenautomated data-integration engine. This means that even in large enterprise organizations withthousands of users and distributed applications, and with constant changes that can be triggered by asingle event, real-time provisioning ensures the immediate propagation of role changes throughout theorganization, thereby maintaining accuracy and supporting compliance.Many of the company’s 5,000 or so IAM customers run integrated and sophisticated businessoperations. They rely on Novell to tightly control who has access to their data systems, when thataccess is allowed, and what data usage rights that access gives. In line with the issues that Novellcustomers have highlighted as being important to them, the company has maintained, and in somecases added, new facilities to the Advanced Edition of its latest release. These include: Real-time identity synchronization and password management (also in the Standard Edition). Rules, roles, and workflow-based optimal provisioning. Integrated policy management for business rules and workflow. Provisioning to SaaS applications such as Google Apps and Salesforce.com (also in the Standard Edition). Reporting on user access at the present time (also in the Standard Edition). Extended reporting on historic user access using activity reports. A tool for integrating permissions (for various siloed applications) to enterprise roles without the need for coding.The new Advanced Edition facilities are mainly targeted at enterprise operations where business andIT have developed identity management requirements that are sophisticated in their event-basedprocess demands and extensive in their reporting requirements.An example of this would be an enterprise model where access controls are linked to compliancerequirements, and provisioning services are controlled by business roles and their permissions, and aconstantly up-to-date directory infrastructure.Within the Novell IAM model, administrators take responsibility for role management and mapping sothat provisioning and de-provisioning services have a direct connection to business roles. Thisapproach also helps to ensure that new starters’ access rights are added based on their role in theorganization, and leavers can be accurately and completely removed based on their known accessrights. Novell’s role-mapping administrator facility uses a drag-and-drop interface to map third-partyroles and permissions to Novell Identity Manager. It uses this approach to create a consolidatedgoverning roles database where policy management is made simpler through the use of pre-built hot-pluggable policy packages that are set up to meet customer and industry requirements.Reporting facilities within Identity Manager 4 have also been extended to include facilities that store acomplete range of history records that can be used to provide audit-level information on current andprevious usage patterns when building user-activity reports.The overall product set provides a scalable, bi-directional, open platform, and data and event-drivensolution. It enables Novell to significantly reduce the complexity of provisioning workflow and role-basedaccess control to satisfy the complex and in-depth identity management requirements of its customers.To support cloud-level deployments, Novell Identity Manager 4 provides enterprise-class administrationand scalability, as well as greater connectivity to SaaS-based applications. By ensuring that there is nosingle point of failure, Novell delivers a highly scalable high-availability IAM product set. CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION 199
  • Identity Manager Approval Active Workflow Workflow Engine Repository Events triggering Workflow triggering Workflow Events Remediation Triggers Access Manager Sentinel Replicated Identity Vault Event Identity Manager Collection Data Integration Engines Publisher and Subscriber Change Events Other Application Database Email Directory Figure 2: Novell Identity Manager – A logical view of Novell’s event-based approach to IAM Source: Novell SOLUTION ANALYSIS Authentication Novell SecureLogin provides client-based authentication and SSO services. The technology originates from ActivIdentity, with Novell acquiring the rights to the code in 2009, which is unusual because it is the only component of the Novell Identity Manager product set that was not developed in-house. Novell does provide a number of integrated value-added facilities, including its scalable and fault-tolerant identity-vault application for storing user-authentication credentials, a strong authentication framework for certificate, smartcard, token and biometric management, and a common auditing and administration framework. This component of the Novell Identity Management product set consists of multiple integrated security systems that provide authentication and SSO to networks and applications. It delivers a single point of entry to corporate resources, and is delivered using the organization’s chosen authentication security controls, all of which can be aligned with corporate regulatory compliance and security policy requirements. A key advantage of combining core-user authentication and SSO services comes from the ability to eliminate the need for multiple passwords. Enterprise and web SSO The delivery of enterprise SSO forms a core component of the Novell SecureLogin solution. Web SSO is delivered using a proxy-based approach as a component of Novell Access Manager, and provides web SSO, web access management, and identity federation facilities. It includes standard and strong authentication, authorization and personalization facilities, and can also utilize data-encryption facilities to ensure that data are properly protected. Novell Web Access Management features strong federation capabilities, which help when organizations are looking to move to cloud-based services, and also addresses a number of challenges for SharePoint users. The product provides simplified yet secure access to resources for customers, citizens, business partners, and employees. Importantly, it also delivers native support for Microsoft AD and Oracle/Sun directory servers, which enables the product to be deployed in any standard identity management environment.200 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Provisioning and role managementNovell prides itself on being one of the few IAM vendors to have developed its own integrated identitymanagement solution in-house rather than via acquisition. This includes all directory services, user-provisioning, role-management, and access management components.Novell also provides configuration-centric provisioning and role-management technology that virtuallyeliminates the need for additional coding. Using Novell Designer, an eclipse-based product, allowsbusiness analysts to connect enterprise systems and configure workflows using a non-technical drag-and-drop interface. Completed configurations can be deployed directly into production environments.Its role-mapping administrator tool operates using the same business-focused approach for mappingthird-party roles and permissions to Novell Identity Manager roles, to create a consolidatedinfrastructure.Provisioning and role management is delivered using browser-based web application facilities. Theyprovide a business-focused approach to the provisioning environment while exposing workflow-basedprovisioning services, delegated administration facilities and end-user self-service tasks. The facilitiesallow users to reset passwords, request access to systems or applications, claim and approve or denypending actions, and navigate the company’s organizational chart. In Ovum’s opinion, the overallapproach provides a simplified event-based method of provisioning and role management that reducesthe complexity of provisioning workflow and role-based access control.Password managementIn the Novell IAM product set, password-management facilities are used to support the enforcement ofcentralized password policies, to generate and distribute new passwords, and to automate the detectionof and response to password change events. Novell password management supports various types ofpassword approaches, including traditional password and prompt facilities, challenge and responseapproaches, self-service password-recovery and reset services, and integration with Novell SSOfacilities.User dashboards are available to provide a web environment for user self-service. They support aworkflow-based approach to requests for access to password provisioning resources and rolemanagement. Dashboards are also used to maintain user profiles and to access white pages,organizational chart information and associated password management functions.Access controlAccess controls within Novell Identity Manager reduce the risk of exposing sensitive data tounauthorized personnel by using control facilities that are intended to ensure that only authorized usersare allowed access. In addition, through the provisioning of appropriate role-based entitlements toconnected systems, Novell Identity Manager facilitates the consistent enforcement of these accesscontrols throughout the environment. The product’s advanced reporting and monitoring facilities provideinformation about the actions of users, how their access rights are being used, and the activities theyperform. Novell offers monitoring and reporting services that work with and maintain both current andhistorical information resources. This approach introduces the ability to take into account current andpast information and provide intelligence-led reporting.The primary roles of access control are to manage and restrict access to information systems andnetworks to the right people at the right time, to streamline the delivery of security and regulatorycompliance efforts, and through its automated services, to cut back on compliance-related costs. Itachieves this by using operational intelligence to understanding when the state of identities and theroles and entitlements associated with them change in the enterprise. From this position of strength,accurate decisions can be made about who is given access to which systems and extending theinformation provided to cover issues such as why and how critical information resources are used.PRODUCT STRATEGYNovell is a leading provider of security management solutions. Its IAM products are used across allmarket sectors, particularly in areas such as financial services, healthcare and the government sector,all of which have to maintain strong compliance commitments. CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION 201
  • The drivers for IAM continue to be regulatory compliance and the fear of unauthorized users gaining access to an organization’s intellectual property. New and updated regulations continue to emerge and because of this, the need remains for more inclusive governing mechanisms based on identity management. To address these ongoing needs, organizations require agile IAM systems that can quickly and efficiently respond to policy and operational changes to ensure that day-to-day operations remain properly protected under all circumstances. Novell believes that these requirements play well with its current approach to identity management, which includes its simplified policy management services and its increased focus on delivering and proving compliance. Another important issue that Novell is proactively addressing with its latest IAM strategy is the ability to support mixed operating environments, including enterprise cloud adoption, which is beginning to move rapidly from board-level discussions to operational reality. Cloud usage constraints rightly include concerns about data controls and security. Because of this and because mixed operational strategies that include traditional servers, virtual machines and the cloud have to maintain consistent levels of security and control, Novell has taken a strong IAM position on cloud services. It has extended its enterprise policies to SaaS applications and is focusing on the delivery of highly secure cloud services. Its approach also includes increased support for hosted and MSP identity services that have the potential to deliver Novell IAM services to the SME market. Key trading and implementation partners include: Global system integrators – ACS, Atos Origin, CSC, Deloitte, Harris IT, Infosys, KPMG, TATA Consulting Services, Unisys, Verizon Business and Wipro. Solution providers/consultants (American markets) – Beacon, Brighton Consulting, Centrinet, CGA, Compugen, Concensus Consulting, Crescent Enterprise Solutions, Eclipsecurity, EST Group, Great Northern Consulting Hub City Media, Identity Automation, Identropy, IDMworks, Ilantus, KIS, Mycroft, Novacoast, Pivot Point Security, Simeio Solutions, Stage 7 Software Systems, Tenet, TriVir, Victrix and Vigilant. Solution providers/consultants (Asia Pacific markets) – Directory Concepts, Microware Limited, NCS, SecureWorx, Senetas, Tecala and Xynapse. Solution providers/consultants (EMEA markets) – ADVNET, Atheos, Business Connexion, B2Lateral, Cambridge Technology Partners S.A., Deron, Didas, Engineering Group, G+H Netzwerk- Design, IDFocus, IT Quality, Maintainet, NetFlex, Network Solutions, Prolink, Pulsen, Ubusha Technologies and Value Team. Novell supports three product-licensing options: perpetual licensing, a subscription approach, and a hosted software agreement model. All include a common approach to discounting, which is tiered by volume. Novell has a clear development roadmap in place for IAM. Four broad themes are addressed: Simplification, which will involve making Novell products easier to consume. The approach is supported by Novell’s intention to make its IAM products multi-tenant-friendly and therefore more attractive to managed service providers. Content, which will focus on providing greater out-of-the-box business relevance, particularly in the area of compliance. Packaging, which will include adapting Novell IAM capabilities to forms that are more suited to current and future enterprise usage. Supporting services, for the company’s Intelligent Workload Management strategy, which will deliver new administration and management capabilities.202 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • IMPLEMENTATIONOrganizations primarily deploy Novell Identity Manager to automate manual processes or to replacehomegrown and/or failing first-generation provisioning and compliance-management solutions. Theimplementation resources required vary by project, but are defined by project size and core identitymanagement and business logic issues. Under normal circumstances, the number of users does notmake a significant difference other than during the migration phase, where there might be datapopulation requirements. Overall project timescales can also vary and be reduced if undertaken usingprofessional services from Novell Consulting or a certified partner.Novell provides three support options: Standard Maintenance delivers 12-hour, five-day access to support services during the heaviest business hours. US support services are 6am to 6pm Mountain Time, EMEA support is 8am to 8pm Central European Time, and Asia Pacific support is 7am to 7pm local time. Priority Maintenance delivers 24/7 support with a four-hour response time, and a one-hour response time for severity one issues. Premium Service provides a single engineer-led point of contact for all support queries. Nominated engineers understand the customer’s technical environment and are required to respond to problems within one hour.Novell offers a wide range of product-training services, and technical-enablement training andcertification courses. For Novell Identity Manager 4 Advanced Edition, it recommends as a minimum thefree technical overview and introduction course. There are also Identity Manager upgrade courses, twoadministration training courses and self-study kits with exam-based certification, and advanced coursesaimed at systems integrators, consultants and IT engineers.DEPLOYMENT EXAMPLESVodacom SAVodacom SA is South Africa’s leading cellular telecommunications provider. It supports thecommunications requirements of more than 30 million customers across 40 African countries. Thecompany’s range of services cover wireless broadband, Internet services, enterprise solutions, VPNand supporting infrastructure services. Vodacom selected Novell’s user-provisioning technology toprovide user-lifecycle and risk-management facilities for its 30 million external users and to delivertraditional role-based provisioning and SSO start-up services for its 5,000 call-center agents. Afterintegrating Novell’s user-provisioning services with its own IT stack to provide workflow, portals, servicecatalogue and configuration management, the company now uses Novell to manage customer andaccount access to its range of business services.GaVIGaVI is a European provider of health management services. It employs about 500 staff and has beena Novell customer since 2006, using its identity management solutions to manage the IT infrastructurefor more than 34 insurance companies. With between five and 10 million user seats in permanent use,GaVI has deployed Novell’s identity management technology for company-wide use to control accessto all legacy applications and to support its role management processes. Federated usage of the Novellproduct set also provides access to SAP, PeopleSoft, and Oracle applications, and it uses NovellSentinel for compliance management and central reporting, and for reviewing its corporate securitystatus. CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION 203
  • Western & Southern Western & Southern is a Fortune 500 company that provides life insurance, annuities, mutual funds and investment management through its member companies. The company is one of the 10 highest-rated life insurance groups in the world according to Standard & Poor’s, and has assets in excess of $42 billion. As the foundation of its identity management platform, Western & Southern uses Novell Identity Manager to automatically synchronize user identity information across multiple systems including Novell eDirectory, Microsoft AD and Microsoft Exchange. Novell Access Governance Suite includes two components that help Western & Southern to meet new compliance requirements: Novell Roles Lifecycle Manager simplifies access control based on user roles; and Novell Compliance Certification Manager automates the monitoring, reporting, and remediation of access privileges. Uvex Uvex is a global leader in the manufacture of personal safety and protection equipment, and one of the fastest growing companies in Germany. Its subgroup, Uvex Sports, also manufactures protective equipment for skiing, cycling and motocross. Uvex uses Novell Identity Manager to synchronize identity data for approximately 1,600 user accounts across key business systems such as SAP ERP, Lotus Notes and Cisco Call Manager, along with and other self-service applications. With Novell Identity Manager automatically reflecting changes across all connected systems, Uvex no longer needs to edit multiple user directories to maintain users. While simplifying and accelerating the creation and management of user accounts, Novell Identity Manager also reduces human error by eliminating the need to re-key information into multiple systems. It also increases security by immediately removing access rights to all systems for employees who leave the organization. Interroll Interroll is a manufacturer of motorized rollers, belt drives and conveyor modules for handling, storage and automation. The company has grown internationally, and now employs more than 1,300 people in over 30 countries. Interroll evaluated several possible solutions before choosing Novell Identity Manager. The initial implementation of Novell Identity Manager involved its integration with Novell Open Enterprise Server, Novell ZENworks and the cloud-based Microsoft BPOS and Citrix solutions. The requirement was to achieve automatic synchronization of all user directories. Using Novell, when a user account is created, edited or deactivated, the new information flows through all these systems, eliminating the need for administrators to make the same changes to each system. Novell corporate headquarters Novell UK office 404 Wyman Novell House Suite 500 1 Arlington Square Waltham Downshire Way, Bracknell MA 02451 Berkshire, RG12 1WA USA UK Tel: +1 (781) 464 8000 Tel: +44 (0)1344 724000 Fax: +1 (781) 464 8100 Fax: +44 (0)1344 724001 Email: crc@novell.com Email: contact-uk@novell.com www.novell.com204 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group ORACLE: Oracle Identity and Access Management Suite – Release 11g WWW.OVUM.COM
  • TECHNOLOGY AUDITOracleOracle Identity and Access Management Suite – Release 11gCATALYSTOracle Identity and Access Management Suite is a comprehensive suite of products that covers all themain areas of identity management functionality, and is now one of the leading products in the sector.It comprises an integrated suite of products that can be deployed either standalone or collectively. Itsposition in the market builds on Oracle’s strong business applications. Identity and access management(IAM) is a fundamental component for the delivery of both security and compliance, and is alsoimportant in raising the productivity of workers in large and medium-sized organizations. Oracle’s suite of products has benefited from a series of acquisitions, including Oracle’s recent acquisition of Sun Microsystems’ products. The trend for enterprises to rationalize their IT suppliers has boosted Oracle’s products in the IAM area.KEY FINDINGS Strengths: The Oracle suite is built on industry-standard protocols and interfaces. Oracle has a comprehensive suite of closely integrated products. Oracle is advanced in both providing identities to cloud SaaS services and using identities from identity service providers. Weaknesses: Oracle relies on ecosystem partners for privileged user account control (apart from its Authentication Services for Linux/Unix operating systems). Key Facts: i Oracle provides or supports agents to bring the most common business applications into its SSO domain.OVUM VIEWOracle has a comprehensive and well-integrated suite of IAM products that offers good value for moneywhen compared with other competitive offerings on the market. It has been enhanced by Oracle’srecent acquisitions of Bharosa, Bridgestream, BEA Systems and Sun Microsystems. These have builtout the core capabilities of the suite to the point where it now compares favorably with its majorcompetitors in terms of breadth of coverage.IAM is one of the most fundamental components of enterprise IT infrastructure. The effort required todeploy it matches the role it plays. It has to be deeply integrated with business applications andprocesses and with employee roles and organizational structures, and it is becoming increasinglyimportant to closely integrate with partner systems, cloud services and customer-facing applications.Choosing an IAM suite is a decision that it is important to get right. Organizations should therefore workwith one of their strategic vendors with the resources and stability to ensure continuing support. Theseconsiderations should take priority over the specific feature sets of the product. Nevertheless, Oracleprovides good functionality and open interfaces for identity federation across collaboratingorganizations and for integrating third-party applications into its sphere of influence. CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G 207
  • The positioning of the identity management suite in the Oracle Fusion security middleware and its integration with Oracle’s GRC strategy places it at the center of the most relevant business concerns. Recommendations Enterprises that want to rationalize their IT suppliers and achieve a well-integrated core infrastructure set and have made Oracle a strategic supplier, will find that the Oracle IAM suite provides a comprehensive and well-integrated solution for their identity and access management needs. Organizations that use the Sun/Waveset identity management products should migrate to the Oracle suite to preserve their existing investments and processes. Although usually most applicable to medium-size and large organizations, Oracle provides a useful and viable suite for organizations in the 500 to 1,000 employee range. SOLUTION OVERVIEW Oracle Identity Management is an integrated and open set of 14 components that can be licensed as standalone products or as part of several suites. They cover areas such as identity administration, access management to web, web services and other applications and systems including SSO and federation with collaborating organizations, directory services, web services, entitlements management, real-time fraud prevention, multi-factor authentication, information rights management, and identity and access governance (functional areas are outlined in the Figure 1 product architecture diagram). Oracle LOB/ Enterprise ISV Fusion Identity Authentication Federation Identity Admin Role Mgmt. Services (Standards Based) Authorization Trust Provisioning Policy Mgmt. OAM OIF OIM ODSEE OID OWSM Enterprise Apps OAAM OES OIA OVD OAS4OS Identity & Access Management Shared Services Access Identity Audit Risk Product Portfolio Core Platform Security User Common Audit Infrastructure for Java Administration Framework Virtualization Orchestration Deploy & User Technology (FMW & IdM) (OVD) (BPEL PM) Install Interface Persistence LDAP XML (Standards Based) DB File (OID/ODSEE) Figure 1: Oracle Identity Management component functions Source: Oracle The components are built around an SOA using shared services, both within the suite and across the wider Oracle environment. For example, functions such as identity administration and password management, workflow, authentication and authorization, cryptographic services and auditing are provided as services in the suite, which is positioned as a pillar of Oracle’s Fusion middleware platform and is a core component of its GRC strategy.208 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • The foundation of an IAM system is the information repository, which is usually implemented in an enterprisedirectory or meta-directory system. On top of this are a range of technologies that deliver common servicesand functions to the suite. The core IAM products deliver enterprise-level services such as access control,user identification, audit reports of user actions relating to user provisioning and user access actions, and riskmanagement relating to the inappropriate use of system and information resources.The identity services can be placed in tiers relating to their position in the construction of the identityinfrastructure: Strategy formulation – policy management and trust. Management of permissions – identity administration, role management and provisioning. Operational control – authentication, authorization and federation.SOLUTION ANALYSISAuthentication technologyOracle Access Manager (OAM) provides several out-of-the-box authentication protocols, includingform-based authentication, Kerberos, Windows log-in, and support for second-factor authenticationsuch as RSA SecurID tokens, other forms of OTPs, digital certificates, and knowledge-basedparadigms. It also integrates with 12 third-party stronger authentication products from vendors inOracle’s extended independent software vendor (ISV) ecosystem, such as BioKey and Daon.A useful feature of OAM is its ability to automatically step up to two-factor authentication in situationswhere an internal risk assessment indicates that additional assurance is required, as defined in theorganization’s policy. This helps to reduce the risk of fraud through impersonation.A key capability of OAM is a full featured session management capability providing administrativecontrol over user sessions.Oracle provides pluggable authentication modules for privileged users.Enterprise and web SSOOracle’s Enterprise Single Sign-On Suite (ESSO) allows users to access platforms and applicationsacross the enterprise using a single credential.Oracle Web Services Manager (OWSM) defines and implements web services security inheterogeneous environments. It provides tools to manage web services based on service-levelagreements, and supports runtime monitoring in live environments.In common with all IAM suites, SSO is only achieved when the target systems and applications havebeen integrated with the IAM infrastructure. Oracle supports third-party web agents that give access toa wide range of common business web servers and applications such as Oracle WebLogic and Apache.Oracle publishes its Access SDK to cater for bespoke and more specialist applications so thatapplication developers can create agents to link their applications to OAM.Oracle’s Enterprise SSO product includes a kiosk manager, a password-reset function, anauthentication manager and a provisioning gateway.User provisioningOracle Identity Manager (OIM) is the key user-provisioning and identity administration component thatprovides a central platform for managing identities over their lifecycle. Access permissions based onroles are assigned to identities. User and role administration is performed in a single administrativeconsole, and these functions share Oracle’s Business Process Execution Language workflow engine.This provides simplified self-service request management. The workflow can be shared across teamsand supports delegated administration. CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G 209
  • Oracle’s offers role mining as part of a comprehensive identity and access governance product called Oracle Identity Analytics (OIA). OIA recommends role definitions, and user admin and role admin have been combined in the same console, with a single integrated workflow to check access permission allocations. OIA audits and certifies accounts, roles and entitlements. Discrepancies can be flagged to the resource administrator or to the individual’s manager. Options for handling exceptions include temporary acceptance of the status quo. A feature called Cert 360 gives a complete view of the state of compliance around a user, a resource or an entitlement, so that permissions can be reviewed at appropriate times. OIM can provision users into SaaS cloud services using bi-directional Service Provisioning Markup Language (SPML) calls. Popular SaaS applications, including Oracle CRM on Demand, Salesforce.com and Microsoft Windows Live, are among the types of cloud applications in to which OIM can integrate. Additionally, these cloud services can be incorporated into the scope of the SSO function. Access control Oracle applies access controls to applications and data. Oracle Access Management Suite is the key product here. Oracle Entitlements Server (OES) allows fine-grained access control to be grafted onto an existing application. Traditionally in the IT world, application access control has been hard-coded into an application and has been very basic in its scope, often to the point of being non-existent. OES allows detailed permissions to be defined and implemented both centrally and outside the application. It is therefore possible to achieve fine-grained controls without modifying applications. FIM Oracle Identity Federation (OIF) is a standalone product that supports identity federation. It is integrated with OAM and similar products from other vendors. It communicates with these tools using standard protocols such as SAML or Kerberos. Oracle has two approaches for providing identity federation. The first is to deploy a lightweight component called Fedlet in the domains that wish to federate to the enterprise identity management system. The other method is to propagate identity across domains using capabilities defined in the WS- Trust standard and a variety of identity token types such as SAML assertions. Oracle’s Identity and Access Management Suite also integrates with identity provider services from third parties including salesforce.com, Google Apps and Oracle on Demand, from which it can accept identity assertions. LDAP administration Directory services are delivered using Oracle Internet Directory (OID), Oracle Directory Server Enterprise Edition (ODSEE), and Oracle Virtual Directory (OVD) services. OID is an LDAP directory that has the scalability, availability, and security features of an Oracle database. ODSEE is an LDAP server that integrates into heterogeneous applications and provides the LDAP directory components that underpin the IAM system. It synchronizes and manages the information stored in multiple directories across the enterprise. OVD provides a secure facility to connect applications to existing user identity stores, whether directories or databases, without modifying the infrastructure or applications. To satisfy the audit requirements of several compliance standards, Oracle Database Vault can monitor and manage user access to databases, including the activities of privileged users. Third-party ISVs such as Cyber-Ark can integrate products into the Oracle stack and can be certified with Oracle. Oracle provides a reporting engine as a service in the Identity and Access Management Suite. This incorporates several standard reports as well as providing an interface by which users or service providers can add customized report formats. The standard reports include identity/access reports, role- based analysis and compliance exceptions. Reports can be delivered to a separate database. The suite’s user interface is available in 28 languages.210 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Standards and authoritiesOracle supports the following industry standards relating to identity management: SAML; SPML; WS-Federation; ID-FF; LDAP; Directory Service Markup Language (DSML); Transport LayerSecurity/Secure Sockets Layer (TLS/SSL); Public-Key Cryptography Standards (PKCS) #11;PKCS#12; WS-Security and associated profiles; Request for Comments (RFC) 3961 KerberosEncryption; RFC 1510 Kerberos; RFC 1964 Kerberos Generic Security Service (GSS); XML Signature;XML Encryption; XML Canonicalization; XML Key Management Specification; RFC 2630 – CMS; RFC2515 – PKCS#7; RFC 2634 – Secure/Multipurpose Internet Mail Extensions (S/MIME); Extended LogFile Management; Java Authorization Contract for Containers (JACC); RBAC; Java Authentication andAuthorization Service (JAAS)/Java Platform Security; SOAP; SOAP with attachments; MessageTransmission Optimization Mechanism (MTOM); WS-Policy; WS-SecurityPolicy; WS-ReliableMessaging; WS-Addressing; WS-MetadataExchange; Advanced Encryption Standard (AES)256 encryption; Secure Hash Algorithm (SHA) 1 signature; Java Key Store; and XACML.PRODUCT STRATEGYOracle released its first product in this area, OID, in 1999. It has steadily expanded its portfolio sincethen through organic development and through the acquisition of specialist vendors. Its recentacquisition of Sun Microsystems brought it one of the major competing identity management suites,significantly strengthening its position in the sector. Before this, two important acquisitions wereBridgestream in 2007, which provided role-management capabilities, and Bharosa, which deliveredadaptive access facilities. In 2005, Oracle acquired the following companies: Thor Technologies, for itsenterprise-wide user-provisioning capabilities; Oblix, with its range of functions, including SSO for third-party applications; and OctetString, with its virtual directory technology that enabled Oracle to work withthird-party directories. While these acquisitions were specialist vendors, the Sun Microsystemsacquisition resulted in substantial duplication of similar products.One of Oracle’s tasks moving forward is to rationalize and merge the two product lines. Sun IdentityManager is now called Oracle Waveset. The convergence process will result in some strategiccomponents from Sun’s products being added to Oracle’s suite as Sun’s users are gradually eased overto the Oracle products. OIM will be enhanced to provide usability, and operational and other developer-friendly features that will make it more familiar to Oracle Waveset users. The integration will also driveinnovation in areas such as risk-based provisioning. Oracle plans to offer migration tools for all SunIdentity Manager products later in 2010. Sun users are now offered equivalent Oracle products free ofcharge. They will be allowed to run both products in parallel, so that they can migrate at their own pace.Oracle regards the Open SSO Fedlet (now known as Oracle Open SSO Fedlet) and the Secure TokenService (Oracle Open STS) as strategic components that it has added to the Oracle Identity and AccessManagement Suite. It also plans to continue to invest in the Open SSO product.Oracle has also used the Sun Role Manager (formerly from Vaau) as the foundation for OIA, while theSun Directory Server Enterprise Edition has been combined with OID and OVD to deliver a new productcalled Oracle Directory Services Plus.With the recent 11gR1 release, Oracle has delivered on: Service-oriented security, developing standards-based security services for applications to use. Suite-wide integration and standardization. Continued alignment of products with evolving standards from industry bodies such as Kantara, OASIS and the Cloud Security Alliance. A unified security administration console. Suite integration from installation, configuration and policy models, with shared functional components and platform certifications. Integrated end-to-end functionality to allow customers to manage user sessions, authentication, federation, authorization, security token services, web services and risk analysis/fraud prevention. CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G 211
  • Two types of migration tools from Sun Open SSO will be added to OAM. The first is a set of policy- migration utilities, and the second is an agent-compatibility framework that allows Open SSO agents to communicate and interoperate with the OAM policy server. Oracle also plans to offer migration tools for Sun Identity Manager to OIM. The first part of this tooling is to uptake the Identity Connector Framework (part of SIM) as a strategic framework within OIM, thereby enabling enterprises to leverage a common framework for integration with target applications across both provisioning engines. Secondary tooling for migrating data objects, core schema, audit data and workflow will also be made available. Oracle goes to market with a direct sales force, and through resellers and other channel and alliance partners. It has its own sales team in most geographic regions. These include vertical market specialists and security specialists with a horizontal focus across all industry sectors. It also has dedicated security experts in its teams dealing with public sector, healthcare, and higher education. Oracle’s major delivery partners are PricewaterhouseCoopers, Deloitte, Accenture and Wipro, and it has regional partnerships with SENA Systems, TrewPort, Beacon, Integral and others. Oracle Consulting Services can provide professional support to customers, and Oracle offers training programs through self-study, online study, and instructor-led classes. Oracle’s identity management products are used by organizations of all sizes. However, most of the deployments are at medium or large organizations. Oracle uses channel partners to deliver the products to smaller customers. Oracle offers both perpetual and term licenses for its products. Charges are calculated on a per- employee user, per-non-employee user or per-processor basis. Oracle publishes a price list on its website. IMPLEMENTATION A deployment project for a major IAM suite requires significant resources over a period of months or even years, and projects are usually rolled out incrementally. A project is intimately related to business process changes, and can deliver substantial business benefits. It is therefore essential to receive buy- in from business managers and to include a business analyst in the deployment team. Experienced consultants are also a valuable resource. Oracle Consulting and several of its system-integrator partners such as PricewaterhouseCoopers, Deloitte, HP-EDS, Accenture, Wipro and SENA Systems can provide professional support. An incremental approach can be segmented according to business groups, applications and platforms, and facilities, or to the products in the IAM suite. Oracle has traditionally mainly sold individual IAM products, but market demand is now shifting toward complete suites. This is partly due to organizations rationalizing their IT suppliers and favoring comprehensive suites of products over best-of-breed point solutions, and partly due to a growing realization that the business benefits of a comprehensive approach are greater than the sum of the benefits of the parts, particularly with respect to delivering regulatory compliance. The majority of Oracle’s identity management customers deploy the products on-premise, but Oracle is providing technology for managed identity services offered by HP-EDS, Wipro, Oracle on Demand and BT. Users can deploy Oracle IAM products on-premise or use one of these service providers for a managed on-premise, dedicated hosted, or SaaS solution. The suite runs on Microsoft Windows, Linux, Solaris, AIX, HP/UX, z/OS and Mac OS platforms. It also requires a database on which it can be deployed, and this is not included in the license. However, most customers have an existing database license that they can use for this purpose.212 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • DEPLOYMENT EXAMPLESPharmaceutical companyThe pharmaceutical industry operates in a challenging environment where it has to balance the needsof information security and information sharing. It is subject to many regulations, including the HealthInsurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Code of FederalRegulations (CFR) Part 11. At the same time, effective and speedy collaboration, both across thecompany and with external partners, is essential for commercial success. This company’s strategy is totreat authentication as an infrastructure service that each application can use, using OAM and OVD tobuild a unified and centralized portal for both internal and external access. This portal offers users achoice of credential for authentication and ensures that the level of authentication is appropriate to thelevel of risk associated with the application. Some of its applications are web-based. It was also able tooffer its employees web-based access to corporate applications through its portal. The SSO capabilityhas significantly enhanced user productivity and security, by eliminating a plethora of user IDs andpasswords. Oracle’s Virtual Directory provides LDAP and XML views of enterprise information withoutmoving it from its native locations. It also acts as an intermediary between clients and services thatenhances the security of application connections. It now has 300 applications using its commonauthentication services.Government ministry of defenseThis organization oversees all of the country’s military and civilian defense personnel. It needed toconsolidate all of its classified data in a secure and scalable electronic platform. It uses Oracle IdentityManagement to provide 100 senior users with secure and seamless access to the information that theyare entitled to access. Their access rights depend on their job function and their security clearancelevel. It is important that the identity management product is interoperable with third-party products andopen standards. OVD is used to integrate user identity information from the ministry and armed forces’ADs. OAM controls and tracks access to confidential documents based on user roles.Government agricultural authorityThis organization administers the distribution of state funds within the agricultural sector, and monitorsthe use of these funds. Its services are used by 50,000 users from diverse groups such as farmers,agricultural businesses, other industrial players and local officials. It has to ensure stable access toservices by all of these groups, provide a seamless integration between its own electronic services andthe government portal that gives access to services such as business and population registers, anddevelop services for data capture, processing and monitoring. It deployed OIF and OAM to provideconvenient and efficient access to the required services. It has outsourced the maintenance andoperation of the systems.Oracle Corp Oracle UK500 Oracle Parkway Oracle ParkwayRedwood Shores Thames Valley ParkCA 94065 Reading, RG6 1RAUSA UKTel: +1 (650) 506 7000 Tel: +44 (0)118 9240000Fax: +1 (408) 720 3725 Fax: +44 (0)118 9243000Email: oraclesales_us@oracle.com Email: uksales_ie@oracle.comwww.oracle.com www.oracle.com CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G 213
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group RSA (THE SECURITY DIVISION OF EMC): RSA Identity & Access Management WWW.OVUM.COM
  • TECHNOLOGY AUDITRSA (The Security Division of EMC)RSA Identity & Access ManagementCATALYSTAcross all sectors of business there is a need to accurately control who has access to operationalsystems. It is a vital element of any security management strategy. Good quality identity and accessmanagement (IAM) is necessary to reduce business risk, minimize exposure to fraud, identifyinappropriate systems use and support the unimpaired use of business systems. The effective use ofIAM breeds trust and confidence in an organization’s business processes. It allows trusted users tointeract with systems and access information securely and selectively. It can also help to controloperational costs through increases in operational efficiency. These are all issues that RSA addresseswith its extensive range of IAM-based identity assurance products. RSA provides enterprise-class identity assurance products that address the risk and compliance issues arising in highly regulated sectors such as finance, healthcare, telecoms and government. The company’s broad range of authentication services addresses all levels of secure access, based on risk. Its range of authentication methods covers appliance, hosted (SaaS), and on-premise operations. RSA delivers an enterprise suite of identity assurance products that can also address the IAM requirements of SME clients.KEY FINDINGS Strengths: Provides best-of-breed identity assurance and access control products. Strong multi-factor authentication includes the use of hardware and software tokens. Federation facilities allow organizations to securely share and exchange user identities. Weaknesses: Does not provide homegrown user provisioning facilities. Key Facts: i Integrates with the main directories from Microsoft, Oracle and Novell. i Partners with Courion to provide best-of-breed user provisioning facilities.OVUM VIEWRSA provides an extensive range of IAM-based identity assurance products and services, whichcollectively, as well as individually, can be deployed to protect the operational systems and intellectualproperty of public and private sector organizations and their users. The company’s identity assuranceproducts have been designed to minimize the risks associated with inappropriate and unauthorizedsystems and account usage, and its services have been extended to address fraudulent activity,accidental data leakage, and information and event monitoring.The main components of the RSA IAM solution have the capability to deal with business-specific identityassurance issues. This is achieved by combining the essential elements of credential management,authentication and contextual authorization with an integrated Intelligence layer that actively addressesaccess control, activity monitoring, information sharing and a growing range of management alertingand reporting requirements. CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT 217
  • RSA recognizes that the user and information protection needs of many organizations may start with the basic requirement to identify and control the access rights of systems users. However, it is also acutely aware that IAM is just part of a security management strategy that organizations will need to have in place to fulfill their compliance and intellectual property protection requirements. Building out from the core components of identity management, content-aware IAM needs to have the ability to work alongside and integrate its services with other core protection and security management technology, including DLP, encryption and key management, and SIEM products. Its competitors would probably argue that RSA already owns these additional security management products, which overinflates its judgment of their worth. However, the counterargument is easier to make. Most enterprise organizations need to control access to their core information systems, protect the data that those systems hold and, at the same time, prove to audit and compliance levels that these objectives have been achieved. RSA has consistently held a market-leading position in the core identity management areas of strong authentication, user authorization and access control. Ovum recognizes that its content- aware approach now extends its relevance into information protection and security management. Recommendations RSA technology is suitable for any organization that needs to authenticate users, and verify and monitor intellectual property use across its operations, and where appropriate, to the extended enterprise. Vertical markets including financial services, government, healthcare and telecoms represent just some of RSA’s areas of success. The technology supports the security management initiatives of organizations, from very large international groups through to smaller enterprise operations. Its adaptive authentication and transaction monitoring services are used by large enterprises operating in markets such as financial services to secure online transactions. At the same time, its range of SecurID products is also of value to businesses of all sizes. Organizations select RSA identity assurance products to support their regulatory compliance initiatives, to help prevent fraudulent activity, and to increase customer confidence when using online services. SOLUTION OVERVIEW RSA provides an integrated set of products that simplify and improve the administration and management of user identities and access control. Its IAM product suite encompasses the key components of identity management, including multi-factor and contextual authentication. It supports the delivery of enterprise-strength access control and extends its services to the provision of federated identity services, DLP, fraud detection and SIEM. Its product set comprises integrated technology that extends user authentication from its foundation as a source of basic identity management to one where continuous control and monitoring of identity, authentication, access and usage is a fundamental business service. Within the RSA approach to operational security management, identity assurance is the key to its service delivery methodology. It brings together an integrated platform of facilities and services that can be used to help organizations minimize the business risks associated with identity impersonation and inappropriate account usage. The approach allows trusted identities to freely and securely interact with and across systems and networks, and provides controlled access to protected information. The key business and technology deliverables are: Credential management – this provides a full lifecycle management and policy administration environment for credentials that are used in the identity verification and assurance processes. Authentication – this assures identities to a system, resource or transaction, and is based on the risk involved. Delivery can involve a choice of appliance, hosted (SaaS) or on-premise software. The methods offered can vary from form factors that include both hardware and software tokens. Contextual authorization – this enforces access based on a specific risk and business context according to the policy requirements of each organization.218 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Collectively, this intelligence-based technology approach is used to protect the integrity of identity-based controls through the monitoring of credentials and activities that allow authorized parties toaccess information systems for specific designated purposes.The key IAM products that RSA uses to deliver these services are: RSA Access Manager. RSA Identity Protection and Verification. RSA Federated Identity Manager. RSA SecurID. RSA Adaptive Authentication.Provisioning and role management services are provided through the company’s close partnerrelationship with Courion. RSA has chosen to maintain this partnership approach to the delivery of coreIAM services, as it believes that provisioning is a component of IAM that is best dealt with by aspecialist. Credential Authentication Management User Authentication ID Policy & Credentials Lifecycle & Choice of Credentials KBA & Shared Verify Identity Secrets Define ID Policy Device Identification 385792 Intelligence Lifecycle ID & Activity Monitoring, One-time Management Information Sharing Passwords & Alerting Contextual Authorization Access Control & Set-up Authentication Partner Co. Partner Co. My Company Partner Co. Federation Access ManagementFigure 1: The business and technologydeliverables of the RSA approach to IAM Source: RSASOLUTION ANALYSISAuthenticationRSA provides a wide range of business and user authentication services. Its SecurID product setdelivers strong two-factor authentication facilities that are provided using both hardware and softwaretokens. Its digital certificate services can be used to maintain a secure environment for authenticated,private and legally binding electronic communications. The company’s e-commerce products provide asecure framework for building cardholder protection and fraud management using a wide range ofauthentication and card security services. Its Identity Protection and Verification product set addsknowledge-based authentication to provide real-time confirmation of customer identities. CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT 219
  • The universal requirement is to verify all authentication requests and, through RSA Authentication Manager, maintain, control and deliver a centrally administered set of policy- and rule-based network authentication services. RSA provides high-performance and scalability across the product set, and interoperates with a wide-ranging set of network, remote access, VPN, Internet, wireless and application solutions. Adaptive authentication RSA Adaptive Authentication extends the role of the company’s business and user authentication portfolio to the web environment. Its Adaptive Authentication products are based on a risk-based authentication platform that has been developed to provide strong protection for web and voice communication channels. Alongside the growing need to provide employees, customers, business partners, suppliers, contractors and a whole host of other regular and ad hoc users with online access, organizations need to ensure that this is done in a secure and cost-effective manner. Therefore, the product’s functional role is to deliver an effective balance between secure authentication, a good quality user experience and cost- efficient controls. Adaptive Authentication monitors user activity and its controls are driven by each organization’s specified acceptable risk levels, policy and user segmentation requirements. It supports a wide range of authentication approaches including invisible authentication (device identification and profiling); site- to-user authentication (website assurance using pre-selected personal security images); out-of-band authentication (phone, SMS or email with security challenges); and OTPs (supported by hardware and software tokens). Access control There are four key areas of operational responsibility that fall within RSA Access Manager’s remit: Managing risk – by ensuring secure access to web applications within intranets, extranets, portals and all user and customer-facing applications. Access Manager provides a core security- management infrastructure that protects the assets of a business by making it difficult for unauthorized users to access corporate systems. It also provides audit-level reporting facilities that can be used to identify and control unacceptable insider usage and systems abuses. Ensuring compliance – user-access controls, policy-management facilities and enforcement services are used to support each organization’s specific compliance requirements. The product’s enforcement and reporting services help IT and C-level business managers to measure the organization’s compliance levels with current internal and external security policies. The product also provides automated reporting that identifies all end-user system and application activity. Cost reduction – is achieved by making efficient use of the product’s centralized facilities for the management of user identities and privileges. These services are supported across multiple applications, domains and geographies. The central management approach reduces the overheads of managing fragmented identity systems. It also makes use of SSO facilities, which, through single- source user efficiencies and well-documented self-service help-desk savings, bring further potential cost-reductions. Improved end-user experience – is provided through the product’s SSO capabilities. SSO allows multiple applications to be protected by a single access instance. This equates to one secure password having the ability to safeguard access to multiple applications, which, in the right environment, removes the need for users to maintain multiple credentials. FIM RSA Federated Identity Manager provides facilities that allow organizations to securely share and exchange user identities with internal business units, customers and, on a business-to-business (B2B) level, with third-party business partners. The product is standards-based and has been developed to work with mainstream industry and web services standards, including XML, SOAP and SAML 2.0.220 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • In today’s interactive business environments, the requirement for closer partner interaction involvingshared information assets makes closer collaboration necessary to maintain a competitive edge. To do thissafely, there is a need to maintain and manage trusted user identities for a company’s own employees andauthorized third parties. RSA Federated Identity Manager maintains strong levels of control by ensuringthe security of authorized users and their transactions. Within the RSA solution, a federated identity is asingle controlled entity that each user is able to use across internal and external areas of the business andpartner websites, with all of these elements being bound by the ties of federation.Extended security management facilitiesRSA has considered the wider business requirements for security management and the range ofprotection services that have direct associations with controlling user access and the informationresources that become available once authorized access has been granted. The company’s identityassurance approach includes the availability of information monitoring and data protection services, andincludes its SIEM, DLP and data encryption products.RSA DLP provides a best-practice approach to data protection. It includes facilities that enable IT andbusiness managers to understand the data that are most sensitive to their operational activities, whereit resides, who should be allowed access, and the controls, policies and data encryption rules that arenecessary to provide the required levels of protection and fulfill audit and compliance demands.RSA SIEM provides activity logs that address the need-to-know elements of identity management,access control, and data protection. Organizations need to be able to prove how effective their usercontrols and information access strategies are. Regulatory compliance often requires this information,and auditors may well demand it. Through its enVision platform, RSA provides a scalable and relevantcollection of data analysis, alerting, reporting and data storage services.PRODUCT STRATEGYRSA has an open-market approach to the marketing of its identity assurance products. Its identity-driven solutions are relevant to any organization that needs to verify and securely authenticate userswhile protecting and controlling access to its intellectual property.Over 30,000 customers use the company’s range of security products, around 25,000 of which areusers of some or all of the components of its IAM suite. RSA IAM customers include Accor, Alliance &Leicester, AMD, Credit Suisse, Flybe, Hershey Foods, Kronos and Staffordshire Police.MARKET OPPORTUNITYRSA IAM systems are implemented across a wide range of industry sectors including financial, legal,automotive, consumer and retail, e-commerce, education, energy, government, healthcare,manufacturing, real estate, technology and transportation. In addition to its vertical coverage, thecompany addresses horizontal markets with cross-industry solutions such as regulatory compliance,consumer identity protection, portal and partner integration, mobile workforce security and digital rightsmanagement. The company’s customers come from every part of the business landscape, and at theupper end of the scale, the vast majority of the Fortune 100 uses its services.RSA’s identity assurance products deliver a prompt ROI, providing a quick-win approach to most IAMprojects. Its most significant market opportunities are provided by the following business and market drivers: Supporting compliance initiatives through the use of its systems and technologies, so that businesses are able to fulfill their various regulatory compliance commitments. Securely enabling workforce mobility and enhancing productivity by supporting the needs of mobile and remote workers (employees, contractors and virtual teams) and their flexible working requirements. Preventing fraud and accidental data loss by controlling channel access to information systems and managing the information available to authorized users. This includes securing access to sensitive information across enterprise systems and networks. Its web portal approach has been designed to improve operational efficiency and enable controlled information sharing and self-service capabilities. CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT 221
  • GO TO MARKET STRATEGY RSA operates using a wide range of sales channels, which it targets to support specific customer needs. These include direct sales, the use of distribution partners, systems integrators, managed service providers and value-added resellers. Key business partners include EDS, Deloitte, CSC, AT&T, Wipro and Tata (TCS). Its listed technology partners include BEA Systems, Cisco, Citrix Systems, Juniper Networks, Microsoft and McAfee. In total, RSA has more than 1,000 certified technology partnerships. While RSA believes that it has no single competitor because of the range and breadth of its own solutions, it mainly competes on end-to-end IAM projects with the large multi-platform vendors such as IBM, Oracle, Novell and CA, and its information protection products compete directly with Symantec, McAfee, Websense and CA. The majority of RSA products are priced on a per-user or per-transaction basis. RSA offers perpetual and subscription licensing models, and, in addition, annual maintenance contracts are available. IMPLEMENTATION Each product within the RSA identity assurance portfolio can be deployed in its own right, or as a fully integrated component of the overall RSA IAM offering, and each product integrates with the main directories from Microsoft, Oracle and Novell. The company’s time-to-implementation averages are typically set at between two and eight weeks. However, RSA project timescales can range from minutes for a simple deployment of the RSA SecurID Appliance, through to much longer timescales for the use of multiple product combinations across complex deployment environments, where projects of over six months are not uncommon. While RSA can provide the skills required to implement its technology solutions, it also works with a number of global and regional systems integrators. The technical skills needed to undertake a full deployment of RSA IAM technology include core domain expertise in the areas of networking, operating systems administration, directory infrastructures, web architecture, and key development languages and protocols such as .NET, C, C++, C#, Java, hypertext markup language (HTML), HTTP, SAML XACML, XML and web services. RSA uses a standard plan, design and implementation approach to its deployment methodology, and each of the respective stages can be broken down into discrete, modular components. Quite reasonably (given the potential for complexity in IAM projects), RSA recommends that its solutions are deployed in definable phases; for example, by technology, or within integrated business units. Ongoing administration for on-premise solutions is seen as an end-user responsibility, and to emphasize this position, RSA is able to provide several supporting facilities and components using an SaaS approach. RSA educational services provide user training facilities in the form of a broad set of courses, which range from instructor-led engagements to online self-service options. The company has training centers at its regional headquarters in the US, Europe and Singapore, and also has a network of authorized training partners, each with RSA-security-certified instructors. Ongoing technical support is provided by RSA, using a three-tier customer support approach: Basic support – a value-based option that is intended to meet the needs of non-mission-critical environments on a business hours basis. Enhanced support – a comprehensive 24/7 support option that provides round-the-clock remote support and access to RSA’s global network of support centers. Personalized support – a personalized support approach that can be tailored to complement RSA service contracts with open access to technical experts on a 24/7 basis.222 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • DEPLOYMENT EXAMPLESAdvanced Micro DevicesAdvanced Micro Devices (AMD) is a California-based company that designs and producesmicroprocessors, graphics and media solutions. AMD needed to securely authenticate its network ofexternal users at a higher level than username and password would allow, while retaining userconvenience. It wanted to deploy strong authentication that would eliminate the logistical overheads ofhardware tokens, but still offer high-security standards. AMD selected RSA and has rolled out itsintegrated Access Manager and Adaptive Authentication solution for SSO to web applications, withauthentication requirements being based on risk analysis. RSA site-to-user authentication provides apersonal security image and caption that gives users the confidence that they are entering a legitimateAMD website. Benefits that have been achieved include a 33% reduction in the time taken to arrangesecure web access for new clients, improved convenience and productivity, and reduced compliance-audit overheads.UK local authoritySecure communication with central government was vital to this local authority’s operations. Forexample, it needed to regularly send information on benefit claimants to the Department of Work andPensions and ensure that the correct levels of funding were received back. To have access toGovernment Connect, all local authorities are required to achieve Code of Connection (CoCo)compliance. This requires two-factor authentication as a basic standard for remote access. Theauthority deployed RSA SecurID to deliver two-factor authentication based on something each userknows (a password or PIN) and something the user has (a hardware token). The benefits achievedincluded CoCo authentication compliance, quick adoption and take-up by end users of RSA SecurID,and associated long-term cost savings.RSA, the security division of EMC RSA UK Ltd.EMC corporate office RSA House, Western Road176 South St. Bracknell, BerkshireHopkinton, MA 01748 RG12 1RTUSA UK Tel: +44 (0)1344 781000 Fax: +44 (0)1344 781001 Email: euro.info@rsa.comRSA Corporate Headquarters174 Middlesex TurnpikeBedford, MA 01730USATel: +1 (781) 515 5000Fax: +1 (781) 515 5010www.rsa.com CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT 223
  • Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 8: Vendor profiles WWW.OVUM.COM
  • ActivIdentityCompany profileActivIdentity Corporation (ActivIdentity) is a provider of identity assurance and credential managementsolutions for the enterprise, government, healthcare, and financial services markets. ActivIdentity wasformed in 2005, when ActivCard took a new name following its acquisition of Protocom earlier that year.Both organizations were established vendors in the IAM market, with highly complementary portfolios:ActivCard’s main focus within the market was authentication, secure remote access, and smartcardmanagement systems; Protocom’s was Enterprise Single Sign-On (ESSO).ActivIdentity is headquartered in Fremont, California, and has development centers in the UnitedStates, Australia, and France, with sales and service centers in more than ten countries. Overall,ActivIdentity has over 4,000 customers, with more than 15 million users of its solutions. Over 60 largefinancial institutions are direct users of solutions based on 4TRESS Authentication Server (4TRESSAS). ActivIdentity recently acquired CoreStreet Ltd., and this acquisition brings in CoreStreet’s PublicKey Infrastructure (PKI) certification technology, distributed identity credential validation system, andphysical access control products into ActivIdentity’s already strong authentication and credentialmanagement portfolio.Product descriptionActivIdentity consists of four product lines that form the foundation of a multi-layered security approach,and these product lines include:Strong Authentication: This suite of products ensures that all end-user access controls including remoteaccess, browser-based, and network-based are all controlled securely. The product suite includes twoauthentication platforms: 4TRESS Authentication Server (4TRESS AS) is an enterprise-strength, standards-based server that allows organizations to manage authentication, transaction authorization, credential management, and associated audit logging. 4TRESS AS enables authentication services to be shared between applications, so that organizations can use second-factor authentication in as flexible and efficient a way as SSO has enabled password-based access to avoid multiple requests to users for different credentials, apart from checking access rights using credentials that the user has already presented. Additionally, it provides administration and management facilities to aid organizations in supporting users’ needs for multi-factor credentials, as well as managing authorization policies, and providing tamper-evident audit log services for all functions undertaken within the solution. 4TRESS AS is configurable to support multiple concurrent authentication policies, for passwords, One Time Password (OTP) devices such as tokens, memorable data, and other schemes. It allows organizations to consolidate access mechanisms to a single mechanism for strong user authentication (e.g. OTP tokens), and for this credential to be recognized regardless of which product line, or service channel, the user wishes to access. 4TRESS AS also supports segregated administration. Transaction authorization is another major feature set within 4TRESS AS, as is the built-in Remote Authentication Dial-In User Service (RADIUS) authentication support. 4TRESS AAA Server for Remote Access – basically supports remote access needs of organizations by ensuring that all user access is secured based on text-based One-Time Passwords (OTP).Credential Management: ActivIdentity through its ActivID product suite enables organizations to replacetraditional user names and passwords with digital certificates by being able to deploy and managesmart cards and USB tokens containing a variety of credentials. The product suite consists of theActivIdentity ActivID Card Management System which issues and manages digital credentials ondevices, as well as two add-on modules: ActivIdentity ActivID Batch Management System andActivIdentity ActivID Identity Registration System – which extends the basic ActivIdentity ActivID CardManagement System capabilities to personalize and encode smart cards as well as comply with themore advanced PIV standards. CHAPTER 8: VENDOR PROFILES 227
  • Security Clients: This product line enhances the aforementioned ActivIdentity product lines by enabling the smart cards and USB token usage across a variety of desktop, network, and applications; along with providing users with SSO capabilities. The various products in this product line include ActivIdentity ActivClient – which secures workstations with smart cards and smart USB tokens, ActivIdentity ActivClient for Common Access Card – in specific for U.S. Department of Defense, ActivIdentity SecureLogin – for SSO capabilities, and ActivIdentity Authentication Client – to handle additional authentication needs. Authentication Devices: This product line allows organizations to deploy a variety of additional authentication mechanisms in order to satisfy their individual access management needs. The range of options include: ActivIdentity Authentication Devices range from Smart Cards, Smart Card Readers, Smart USB Tokens, OTP Tokens, DisplayCard Tokens, and Soft Tokens to Hardware Security Modules. ActivIdentity, Inc. ActivIdentity (UK) Ltd. 6623 Dumbarton Circle Waterloo Business Centre Fremont 117 Waterloo Road CA 94555 London , SE1 8UL USA UK Tel: +1 (800) 529 9499 (Toll-Free) Tel: +44 (0)20 79600220 Tel: +1 (510) 574 0100 (Main) Fax: +44 (0)20 79021985 Fax: +1 (510) 574 0101 www.actividentity.com Aladdin (SafeNet) Company profile Aladdin moved into the IT security business after starting out in the DRM space manufacturing HASP copy-protection dongles. In 1998 it acquired eSafe and its content-security product, in addition to developing its first USB smartcard authentication eToken offering. The company’s most recent product addition is the 2008 acquisition of the SafeWord product set from Secure Computing, before the latter was taken over by McAfee. Aladdin operates in the Americas, Europe, Middle East, Africa and Asia Pacific. It is headquartered in Belcamp, Maryland and employs around 1,600 people. In March 2009 Aladdin was acquired by SafeNet’s private equity owner Vector Capital. SafeNet and Aladdin have operated under common management since that time. On March 31, 2010, SafeNet acquired the Vector Capital interest in Aladdin, thereby completing the legal combination of the two security companies. Hence the contact details provided for Aladdin are those of Safenet. SafeNet is a security company that provides information security solutions such as data protection, software licensing and management and industry solutions, professional services around rights management, SafeNet HSM implementation and web threat analyzer (WTA) audit services. Product description SafeWord is focused on providing strong authentication, primarily OTP tokens, that integrate with directories and VPN access platforms. Its ID&AM platform also includes SSO functionality. The solution deals with the three core elements of authentication, management, and user access. The SafeWord product set can provide a variety of authentication options that can be linked to the specific nature and needs of an organization’s user-base. It offers strong two-factor authentication capabilities that provide users with controlled access to corporate information. Authentication is provided through One Time Passwords (OTPs) that are generated either using tokens with a hardware form factor, or through the use of software and mobile authenticators. In addition, ESP Web Access Gateway can be used to provide protection for Web applications, portals, and Outlook Web Access, by incorporating two-factor authentication and SSO. Access management facilities are provided for internal and external users using secure access channels and SSO. VPN support is available for products from vendors such as Cisco, Checkpoint, Nortel, Citrix, and Juniper. Management facilities are also available for the enforcement of corporate access policies either through the management console or through its integration capabilities with LDAP, AD, and RADIUS sources.228 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Organizations that want to provide controlled access to many applications, or use alternative two-factorauthentication mechanisms such as mobile devices, or make the deployment exercise simpler byproviding a platform for user self-service and token enrolment, can use SafeWord’s Enterprise SolutionPack (ESP). ESP comes with its own Management Console for the enterprise-wide management ofusers, tokens and access rights, as well as event logging and reporting.Another key piece of functionality within the ESP product set is MobilePass – which is a software-basedtwo factor authentication solution that generates secure OTPs on mobile devices, laptops or desktops.MobilePass can be deployed on a number of platforms including BlackBerry, Palm, Windows Mobile,Java ME-enabled devices, SMS Text Messaging, and Windows Desktop. These OTPs can begenerated via a MobilePass application installed on the aforementioned devices to provide secureaccess to VPNs, Citrix applications, and Outlook Web Access.Headquarters (Aladdin and SafeNet) SafeNet UK4690 Millennium Drive Rivercourt, 3 Meadows Business ParkBelcamp Station Approach, BlackwaterMaryland 21017 Camberley, Surrey, GU17 9ABUSA UKTel: +1 (410) 931 7500 Tel: +44 (0)1276 608000Fax: +1 (410) 931 7524 Fax: +44 (0)1276 608080www.safenet-inc.comAvatierCompany profileAvatier Corporation is a privately owned organization set up in 1995 and based in San Ramon, CA, withoffices in Dallas, Boston, Chicago, and Denver in the US, and smaller offices in India, the UK, andJapan. The company has 74 employees in total and has a customer base of over 500. Clients includethe NASA Shuttle operations/United Space Alliance, Harris Corporation, Astra Zeneca, RockwellCollins, NTL Group, and MidFirst Bank.Product descriptionThe Avatier Identity Management Suite consists of the following modules plus SSO functionality,addressing various aspects of identity management: Password Station: This module provides self-service password reset, password management, and synchronization (GINA interface and Phone interface) capabilities. Employees are allowed to reset their own passwords and synchronize one password across multiple platforms. This can be done through the Web browser or through the Password Station Phone Reset Suite module. Identity Analyzer: This module provides a holistic view of all user accounts as well as the current status of these accounts across the entire enterprise systems. It separates accounts that are currently active from those that have been disabled or deleted. Password Bouncer: Password Bouncer can be used for granular enforcement of password policy and password synchronization; employees are not allowed to select passwords that can be easily guessed or broken by hackers. Account Creator: Account Creator is the company’s user-provisioning and role-definition tool. Using this, administrators can create accounts for new employees, enforce naming conventions, and automate home directory management, e-mail set-up, etc. Account Terminator: This is the module for user de-provisioning. This module is focused on compliance, especially SOX, Health Insurance Portability and Accountability Act, and Gramm- Leach-Bliley (although these are US laws the functionality is also useful for non-US organizations). Administrators can search for orphan accounts, and disable, enable, and delete an employee’s user accounts across multiple platforms. CHAPTER 8: VENDOR PROFILES 229
  • Avatier Identity Enforcer: Avatier Identity Enforcer provides self-service role matrix and rights- management capabilities with SOX support. It includes multi-lingual workflow and custom forms capability. Compliance Auditor: The module helps identify and address compliance gaps. The module enables role, entitlement, and asset owners to review and approve the access and assets assigned to users regularly, as well as issuing alerts through emails and other reporting methods. Avatier Corporation Avatier Corporation 2603 Camino Ramon The Pavilions, Kiln Lane Suite 110 Epsom San Ramon Surrey CA 94583 KT17 1JF USA UK Tel: +1 (925) 217 5170 Fax: +1 (925) 275 0853 E-mail: info@avatier.com www.avatier.com Aveksa Company profile Aveksa specializes in the supply of access governance and management solutions. The company was founded in 2004 by a group of industry experts with previous experience in organizations such as Netegrity, Banyan Systems, and PowerSoft. Aveska focuses on specific areas of the Identity and Access Management (IAM) business landscape, such as provisioning and role management – areas in which organizations have traditionally struggled to align technology-driven services with business requirements. The company has its corporate headquarters in Waltham, Massachusetts, and regional offices throughout North America. It also has operational headquarters in London, covering the Europe, Middle East and Africa (EMEA) region, and its engineering division operates out of Bangalore, India and Waltham, Massachusetts. The company is privately owned, and backed by leading venture capital firms, including Charles River Ventures, FirstMark Capital, and FTV Capital. Product description The Aveksa Access Governance Platform, comprising the Aveksa Compliance Manager, Aveksa Role Manager, and Aveksa Access Request and Change Manager, is an access control automation and management solution that focuses on delivering a business and process-centric approach to controlling and managing access to corporate information resources. The three modules together constitute an integrated product; each module however has the capacity to deliver its services independently or as part of an integrated platform solution – Aveksa Access Request and Change Manager: provides a business interface to a streamlined set of request and fulfillment processes that incorporate the use of embedded policy controls. It ensures that when user access requests are made, the access granted is appropriate to the user’s functional role in the business and in alignment with internal policies and rules, and industry regulatory requirements. Aveksa Compliance Manager: automates the monitoring, certification, reporting, and remediation of user entitlements, automating access control services. Aveska also supports use of the inclusive monitoring, certification, reporting, and remediation services, as well as providing an auditable record. Aveksa Role Manager: provides role discovery, role modeling, and role maintenance facilities. The product enables organizations to build and deploy automated processes for governing and managing user access requests. It is responsible for role management, which includes the maintenance of service delivery controls and review processes to ensure that the role management configuration remains fit for its purpose; this includes role maintenance updates, the revocation of redundant roles, and validation management to reduce complexity and increase operational efficiency.230 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • The Aveksa product set is supported by secure, non-invasive, automated collection technology thatenables it to acquire user access data (identities, roles, entitlements, groups and access control lists)from all available information resources including data, systems, hosts, applications, files, file shares,and directories. Aveksa aggregates and correlates user access data from multiple resources to providea unified view that can be analyzed down to individual usage levels and accumulated to provide apicture of the entire enterprise.Aveksa Corporate Headquarters Aveksa EMEA Headquarters265 Winter Street 211 PiccadillyWaltham, MA 02451 London, W1J 9HFUSA UKTel: +1 (877) 487 7797 (US calls) Tel: +44 (0)20 79179466Tel: +1 (781) 487 7700 (calls outside the US)Fax: +1 (781) 487 7707www.aveksa.comBeta SystemsCompany profileHeadquartered in Berlin, Germany with offices in 18 countries, Beta Systems is an integrated, end-to-endsolutions provider for Document Processing, Compliance, Data Processing, and Security. With a customerbase of 1,300 customers and 3,000 running installations, the company has built a reputation as one ofEurope’s leading mid-sized, independent software providers. Beta Systems was founded in 1983 and hasbeen a listed company since 1997. The company has 600 employees, including its centers of excellence inAugsburg and Cologne in Germany, and Calgary in Canada.Product descriptionBeta Systems provides products for a wide range of areas of Identity and Access Management. These include: SAM Jupiter: SAM Jupiter is the company’s user provisioning tool that offers policy-based, user provisioning and de-provisioning capabilities and automates these tasks, thereby reducing the operational risk and increasing the level of IT security. The company claims that the SAM Jupiter Provisioning Server is capable of automating up to 80% of the routine administration tasks that go into user provisioning. It also offers policy enforcement capabilities along with reporting, auditing, and delegated administration. The SAM Jupiter agent/agentless connectors enable integration with applications like MS Exchange, Lotus Domino, and Novell Groupwise, as well as operating systems from Microsoft, IBM, HP, Sun, Linux, and Novell. Connectors are also available for LDAP, Oracle and DB2 databases, and Tivoli Access Manager. SAM Password Synchronization (SAM PS) tool: Authentication is provided through the company’s SAM Password Synchronization (SAM PS) tool. It provides single-password access to heterogeneous platforms and applications. Supported platforms include: Windows NT/2000, IBM z/OS, Novell NetWare (Bindery, NDS), UNIX (Sun Solaris, HP-UX, IBM AIX), LDAP, and SQL Server. A Web-based self-service tool, the SAM Password Reset (SAM PR), can be used to reset users’ passwords. SAM eSSO: SAM eSSO provides enterprise SSO capabilities. It can be integrated with a number of Windows, Web and legacy applications through agents/XML parameter files to add SSO capabilities to them. It is built on High Availability (HA) architecture and provides failover capabilities while supporting hundreds of thousands of users. SAM Rolemine: The integrated SAM Rolemine (created after acquiring ownership of the Rolemine product from Swiss partner IPG AG) simplifies the process of role identification and definition by applying pattern-based analytics to existing organization data and security information from the SAM Jupiter Repository, and optionally from other repositories. It validates the existing role model and ensures compliance with organizational policies during an ongoing model review process. It can adapt to business changes by redefining roles and privileges. It works in conjunction with SAM Jupiter’s role- based administration features to support a more comprehensive role-lifecycle management. CHAPTER 8: VENDOR PROFILES 231
  • Beta Agilizer 4Security: Beta Agilizer 4Security is an administration tool that integrates the management aspects of all the tools mentioned above as well as all the other security aspects of an organization’s IT systems. It enables the administration and provisioning of services in existing portals, workflows and Service Oriented Architecture (SOA) platforms and provides a customizable self-service function that can be rolled out to end users. Beta Systems Software AG Beta Systems Software Ltd. Alt-Moabit 90d Unit 8, Diddenham Court D-10559 Berlin Lambwood Hill, Grazeley, Reading Germany Berkshire, RG7 1JS, UK Tel: +49 (0)30 726 118 0 Tel: +44 (0)1189 885175 Fax: +49 (0)30 726 118 800 Fax: +44 (0)1189 884899 Email: info@betasystems.com Email: info-gb@betasystems.com www.betasystems.com BMC Company profile BMC Software, founded in September 1980, has grown both organically and by acquisition. Its notable acquisitions include PATROL in 1994, BGS Systems in 1998, both Boole and Babbage and New Dimension Software in 1999, Perform SA in 2001, Remedy in 2002, Marimba in 2004, Identify Software Ltd in 2006, ProactiveNet in 2007, and Tideway Systems in 2009. Its headquarters is in Houston, Texas, and its international division is based in the Netherlands. It has an extensive network of offices throughout the world. BMC research and development offices are located in the US, France, Singapore, Israel, and India. The company is publicly traded on the New York Stock Exchange. Product description BMC’s Identity Management Suite consists of an extensive range of identity- and access-based solutions for organizational users. However, the company has lost its way as a mainstream IAM provider and now prefers to market its identity management products as components of the BMC Business Service Management (BSM) offering. BMC retains the following IAM products: BMC User Administration and Provisioning provides a Web-based User Administration Management application and processes, and provisioning of the user accounts on target systems (with 24 different target systems supported). The automated identity management, allows users to undertake tasks independently (e.g. self-registration for access to a particular application, or requesting access to applications via workflow-based processes that can incorporate approval steps). It adopts a self- service approach that allows costs and delays to be minimized within business processes. It also supports auditing every action within the identity management suite, including password resets, login attempts, and requests for access to applications. BMC Password Management enables passwords and related processes (including resets) to be managed. Integration with the ‘Remedy Help Desk’ solution allows tickets to be raised, and is often used to log automatically all password reset requests, and enable users to track the progress of their reset request. BMC Audit and Compliance Management is typically used by compliance officers who need visibility into the organizational identity and access management functions to see which resources and applications every user has access to, and also view what applications users should not access (often with reference to users’ roles). It provides the ability to link the audit of access events with the tracking and trending of access policies, to create a cycle of continual governance and improvement in controls. Organizations can develop their own policies to manage access to applications and resources, and any attempted unauthorized actions can be flagged and prevented. A dashboard is provided to give a view of who has access to what and what each user is doing from an application perspective.232 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • BMC Access Management provides role-based access control to Web-based applications and resources. It uses a single interface to enable administrators to manage access rights for identities. BMC Federated Identity Manager can relate, and determine the value of, identity information from different stores, which typically are used by different organizations. It enables users to navigate seamlessly through different domains of resources. The product supports a broad range of prevalent standards (SAML, Liberty ID-FF, WS-Federation, and Shibboleth), and may be implemented either in a closely-integrated fashion with BMC Access Management, or completely independently.Workflow is available throughout Identity Management Suite, and tasks can involve functions from morethan one of the modules. Workflow tasks are sent to users by automated processes via e-mail, userstherefore do not need a client implementation on their desktop to manage the workflow task.BMC’s Identity Management Suite solution is strongly integrated with some of the products from BMC’sBSM portfolio, such as its CMDB; service desk; incident, problem, and change management; andcompliance assurance offerings.BMC Software, Inc. BMC Software2101 City West Boulevard Assurance HouseHouston Vicarage Road, EghamTexas 77042-2827 Surrey, TW20 9JYUSA UKTel: +1 (713) 918 8800 Tel: +44 (0)1784 478000Fax: +1 (713) 918 8000 Fax: +44 (0)1784 430581www.bmc.comCourionCompany profileCourion Corporation was founded in 1996, and was among the first companies to bring the self-serviceconcept to identity management. The company is privately held, and is backed by several premierventure capital organizations that are part owners. The company has around 100 employees and itscustomer base ranges from large enterprises to medium-sized companies, with implementationsranging from 500 users to 350,000 users (averaging 20,000 users). Customer organizations includeglobally recognized names such as Boeing, Office Depot, and GE. Of the Fortune 500 membercompanies, over 60 are Courion customers (as are over 20 of the Fortune 100 list). Among its keycustomers in the European market are O2, the Belgian bank KBC, GlaxoSmithKline (which has a globaldeal with Courion), Switzerland’s Federal Dept. of Home Affairs, Egg Financial, Capgemini, andPricewaterhouseCoopers. The company has recently moved its headquarters to Westborough, Mass,and has sales offices in four other US locations, in addition to a UK-based international headquartersin Manchester, UK.Product descriptionCourion’s Access Assurance Suite version 8.0 (formerly known as the Enterprise Provisioning Suite) isaimed at simplifying user provisioning, role management, access compliance and passwordmanagement. It consists of the following products which are usually used together, but can be deployedseparately: PasswordCourier: an automated self-service password management product that enforces password policies, and enables users to reset and synchronize their own passwords on enterprise and Web applications. AccountCourier: a user provisioning and account management product that allows the definition and automation of business processes for the complete provisioning lifecycle. ProfileCourier: a self-service, profile-management utility that enables users to register and maintain personal data within existing corporate directories and security databases. CHAPTER 8: VENDOR PROFILES 233
  • CertificateCourier: an automated provisioning solution for digital certificates, providing self-service certificate registration and recovery for existing PKI. ComplianceCourier: automates the review process of user access rights for verification, management, and reconciliation, pushing accountability out to the most appropriate parties; it also provides employee policy-awareness testing that integrates with automated provisioning management. The existing ComplianceCourier capability deals with the ‘Segregation of Duties’ concerns that arise out of the US SOX legislation. RoleCourier: automates the process of creating and managing roles as well as enforcing a policy- based role management approach that effectively maps the access rights of user groups to their corresponding business function. Sensitive Data Manager: integrates ComplianceCourier with Symantec DLP to enable organizations discover sensitive data, and capture details of user access to it, to verify if that access is appropriate. User Activity Manager: a solution that is capable of integrating identity data with reports and alerts generated by various security information and event management (SIEM) solutions and log file monitoring. The ability to also monitor user activity allows filtering out and identifying the users performing inappropriate activities with the accessed data. Courion utilizes a SIEM integration architecture that is vendor-neutral i.e. it is flexible enough to combine data from any SIEM vendor or log file. Compliance Manager for file shares and SharePoint: ensures that all user file access is aligned with the organization’s security policies and industry regulations. It ranks files according to their risk level, based on which organizations can profile the user access settings. Administrators can identify user violations of corporate security policy in SharePoint environments. The solution comes with out of the box policy definitions, which can also be customized to meet specific requirements. The company complements its product set with professional services. These services include the Access Assurance Workshop, Capacity Planning, Identity Mapping, and Self-Service Attainment programs. Part of the Self-Service Attainment program is a personalized Knowledge Base that facilitates end-user adoption of self-service applications. Worldwide Headquarters EMEA Headquarters Courion Corporation 3000 Aviator Way 1900 West Park Drive, 1st Floor Manchester Business Park Westborough, MA 01581-3942 Manchester, M22 5TG USA UK Tel: 866 COURION / 508 879 8400 Tel: +44 (0)161 2661094 Fax: 508 366 2844 Fax: +44 (0)161 2661393 www.courion.com Cyber-Ark Company profile Founded in 1999, Cyber-Ark is an information security company that specializes in protecting and managing privileged users, applications, and highly-sensitive information. Cyber-Ark has a customer base of around 700 global customers, including more than 35% of the Fortune 50 and seven of the ten largest banks worldwide. Cyber-Ark is headquartered in Newton, Massachusetts, and also has offices and authorized partners in North America, Europe and Asia Pacific. Cyber-Ark Software is privately held and backed by venture capitalists, including Jerusalem Venture Partners, Seed Capital Partners (a SOFTBANK Affiliate), JP Morgan/Chase Partners and Vertex Management.234 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Product descriptionCyber-Ark through its Privileged Identity Management (PIM) Suite provides a unified policy-basedsolution that provides security monitoring, and management services for privileged user accounts andtheir related activities. The suite controls user access to privileged accounts based on user credentials,monitors and records privileged user sessions, streamlines policy management, integrates withenterprise systems, and helps organizations adhere to the identity management related audit andregulatory requirements. Cyber-Ark provides multiple security layers including VPN, file access control,encryption, authentication, and firewall protection.The PIM Suite consists of the following modules: Enterprise Password Vault (EPV): This module uses Cyber-Ark’s patented Digital Vault Technology to securely manage and automatically change and log all privileged account activities. The module is capable of supporting a wide range of platforms including over 50 operating systems, databases, firewalls, network devices, business suites and key systems. EPV allows integration with an organization’s existing help desk and ticketing systems, and includes a dashboard that allows users to create personalized views of all managed devices and privileged accounts. EPV provides the ability to automatically reconcile passwords without any kind of human intervention. In terms of automatic user provisioning, EPV utilizing the enterprise directory automatically provisions and manages all privileged account changes. Application Identity Manager (AIM): This module centrally stores and manages all highly sensitive user and application passwords from within the Digital Vault thereby eliminating the need for storing hard-coded embedded credentials in applications, scripts or configuration files. AIM ensures that all credentials get secured and automatically managed and stored within Application Server Data- Sources and also supports changing passwords on demand. Privileged Session Manager (PSM): This module helps capture all user actions in detail, including keystroke actions and mouse movement. Every action the user undertakes after gaining access to a target system is monitored and recorded, and user sessions can be viewed later. All recorded sessions are archived and can be searched and retrieved based on user, system, and date parameters. The module enables organizations to enforce secure access control and session control for third-party access. It allows users to log on to the PIM portal using two-factor authentication. On-Demand Privileges Manager (OPM): A unified solution that enables organizations to monitor as well as manage super-users and privileged accounts, OPM also provides a centralized reporting engine that is capable of providing unified and correlated audit logs. All account usage including the ‘root’ users on UNIX can be setup and controlled based on pre-defined granular access control mechanisms. The module can seamlessly integrate with SIEM products and also with an organization’s existing enterprise infrastructure.Cyber-Ark PIM suite utilizes a Central Policy Manager engine that allows automatic management andenforcement of all privileged account management policies on local or remote networks across theenterprise, without the need for human intervention.Corporate Headquarters UK Sales OfficeCyber-Ark Software, Inc. Cyber-Ark Software (UK) Ltd.57 Wells Avenue Abbey HouseSuite 20A 1650 Arlington Business ParkNewton, MA 02459 Theale, Reading, RG7 4SAUSA UKTel: +1 (888) 808 9005 or (617) 965 1544 Tel: +44 (0)118 9298430Fax: +1 (617) 965 1644www.cyber-ark.com CHAPTER 8: VENDOR PROFILES 235
  • Fox Technologies Company profile Founded in 2005, FoxT provides Identity and Access Management solutions. The company is privately held and headquartered in Mountain View, California, with development centers in Sweden and Mountain View and sales offices in several countries. FoxT serves Global 1000 customers in 32 countries. Product description FoxT ServerControl is a role and agent-based solution supported by central policy-management facilities that improve the security of operating systems in enterprise server environments by strengthening the controls over privileged-user access. The FoxT security database is the core component of the solution – it acts as the central repository that holds the entire database of user accounts, credentials, access rights, encryption keys, host identities, and related data in the managed network. Administrators manage the repository via either a graphical user interface (GUI), or by using a command-line interface (CLI). The solution also supports encrypted remote administration through a browser, and administrator access is restricted to specific named users and to specific hosts from within or outside the controlled domain. The BoKS Manager provides the security server platform for the FoxT ServerControl. FoxT Server Agent is the server software that is installed on each UNIX, Linux, or Windows Server host to provide the solution’s privileged-user protection and security services, ensuring that every user-access request follows the settings that have been pre-set in the security database. The FoxT ServerControl functions as follows: i) When a user attempts to login to an operating system protected by the server agent, the login request is sent to an available authentication server, either the master or replica server. ii) Once the server receives the login request, it compares the security database settings to identify the authorized access route. This specifies how, from where, and when, a particular user or user group is allowed to access a resource. The client then sends a further request for a user name to the authentication server. The server agent communicates with the master (or more typically a replica) server to obtain any additional authentication details that might be required and are held in third-party systems. Apart from storing all event logs in the master server, ServerControl captures and records all user actions in detail, including keystrokes, mouse movement, and any other associated input by using its inbuilt keystroke-logging function. The system also controls the setup and use of configured warning messages, which are displayed whenever a user violation takes place. The solution supports a variety of strong third-party authentication solutions to provide additional authentication for data and systems. The authentication capabilities that can be configured include physical devices such as RSA SecurID tokens, SafeNet SafeWord tokens, public key technologies such as certificates, PKI smartcards or USB tokens, secure shell (SSH) Public Key, SSH Host based, and SSH Certificate authentication. The solution also supports integrated SSH, which is a multi-service protocol that helps establish a secure encrypted communication channel between two computers. FoxT ServerControl provides flexible provisioning facilities. It allows administrators to provision user accounts across multiple servers running on diverse operating systems. The product integrates readily with existing corporate directories and identity management systems. FoxT ServerControl controls the central management of access policies (definition and enforcement) across all heterogeneous environments via a single web-based administration console. A key component of FoxT ServerControl is the FoxT Password Vault, which is an add-on module that can be installed on the BoKS Manager Master server. It can be remotely managed and operated from any configured client through an internet browser. Password Vault enables organizations to manage specific pre-defined privileged accounts, configure access controls, and manage logouts of multiple similar password sessions. FoxT ServerControl provides extensive reporting and auditing capabilities, and maintains searchable logs with details of all user activities. FoxT Reporting Manager, an additional product, can group audit and compliance reports into a consolidated view of all access-control policies and data across security domains.236 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • FoxT Headquarters FoxT EMEA883 North Shoreline Blvd. 200 Brook DriveBuilding D, Suite 210 Green Park, ReadingMountain View CA 94043 Berkshire, RG2 6UBUSA UKTel: +1 (650) 687 6300 Tel: +44 (0)1189 497664Fax: +1 (650) 618 0332 Fax: +44 (0)1189 497001www.foxt.comImprivataCompany profileImprivata is a prominent vendor in the field of Identity-based user authentication solutions. Thecompany was founded by experts in the identity management and biometric fields of IT security, andhas worked on and deployed a number of large-scale digital identity and authentication projects.Imprivata is a private company with funding provided by Polaris Venture Partners, Highland CapitalPartners, and General Catalyst Partners. It has corporate headquarters in Lexington, Massachusetts inthe USA, and also operates out of San Francisco. Internationally, the company has offices in Watfordin the UK, Antwerp in Belgium, Milan in Italy, and in Singapore. The company has over 800 customers.Product descriptionThe company’s OneSign product is an appliance-based solution that provides authentication, SSO andphysical/logical access capabilities. These capabilities are packaged as individual modules and aredelivered from within the same self-contained appliance, which has a hardened Linux kernel and anOracle 10g database, and is purpose built for user authentication.The Imprivata OneSign appliance has been designed to provide an SSO environment with strong userauthentication when users request access from mobile, remote, and LAN access channels. They canswitch between sessions on concurrent Windows machines. The product is capable of dealing with userlogin requests that are initiated using an extensive range of password, biometric, proximity card,smartcard, USB token, and ID token approaches.Three main components form the Imprivata OneSign product set, and they collectively provide a singleauthentication management solution for securing electronic systems, networks, and applications, aswell as for integrating with authentication events of physical access for buildings. These are: OneSign Authentication Management (AM): provides a range of network authentication services that have been designed to enable organizations to improve the security of their systems by moving on from the less secure passwords. OneSign AM supports the use of strong authentication options such as smartcards, tokens, proximity cards, and biometrics in order to deliver strong user authentication. The Imprivata OneSign appliance contains a built-in Remote Authentication Dial-In User Service (RADIUS) host for remote access authentication, and the solution is supported by a single administration point-of-control that provides easy deployment and management controls. Furthermore, the Imprivata OneSign solution supports emergency access authentication requirements that are aligned with the organization’s access control policies. End users who forget their strong authentication devices can be granted a controlled number of ‘emergency logins’ per month. OneSign Single Sign-On: provides application management services to enable setting up each end- user system and application to be SSO ready. The OneSign Single Sign-On product is able to achieve this without requiring modifications to be made to any application; the approach instead involves invoking the use of the Single Sign-On Application Profile GeneratorTM (APG) facility, which is an internal component of the OneSign Single Sign-On product. This facility is used to build a sustainable and unique profile for each application in order for SSO access status to be granted. This module can identify and learn application login behaviour and automatically capture this information. The solution integrates with leading provisioning systems through a standards-based Services Provisioning Markup Language (SPML) interface. CHAPTER 8: VENDOR PROFILES 237
  • OneSign Physical/Logical: this component provides converged access control security facilities for organizations to make use of integrated network and building access systems for unified enterprise security management. Using OneSign Physical/Logical, organizations can create converged security policies that cover both physical and IT access requirements. This enables organizations to grant or refuse network access based on a user’s physical location or employee status. It provides a smartcard and token-agnostic approach that will interoperate with an organization’s existing physical access systems. Working using a single common user interface, the Imprivata OneSign appliance delivers high levels of identity and authentication control. Its integrated appliance platform format provides a number of advantages such as the common user interface between product components, common workflow processes, and common reporting services. Imprivata, Inc. EMEA Headquarters Imprivata, Inc. 10 Maguire Road Forsyth House Building 4, Lexington 77 Clarendon Road MA 02421-3120 Watford Herts., WD17 1LE USA UK Tel: +1 (781) 674 2700 Tel: +44 (0)1923 813511 Fax: +1 (781) 674 2760 Fax: +44 (0)870 4282554 www.imprivata.com Passlogix Company profile Passlogix was founded in 1996, and was a privately held company until acquired by Oracle in October 2010. It is headquartered in New York City, and has development offices in Amityville, NY, and sales offices throughout the USA, and in the UK and Hong Kong. The company has customers from a number of verticals including Manufacturing, Financial Services, Healthcare, Telecom, Retail, Oil/Gas, National, State and Local Governments and has sold more than 15 million licenses for its v-GO solution. Product description The Passlogix v-GO Access Accelerator Suite for Identity and Access Management includes the following components: v-GO Single Sign-On: v-GO Single Sign-On Platform is a family of products aimed at providing enterprise-strength SSO and complementary offerings that provide integration with facilities that cater to other IAM requirements, such as provisioning, and additional login-related facilities for the Windows environment. These complementary offerings include v-GO Self Serve Password Reset, v-GO Authentication Manager, v-GO Provisioning Manager, and v-GO Session Manager. v-GO On-Demand Edition: the v-GO On-Demand Edition is similar in terms of functionality to the v- GO SSO; the only difference being the fact that it is accessed from a host Web site. v-GO On Demand Edition can be administered from outside the installation and enables the end user to access SSO functionality from anywhere across the enterprise. v-GO Shared Accounts Manager (v-GO SAM): provides secure access to systems and applications for administrators, temporary workers, and others who must share account IDs. It enables shared credentials to be securely stored and retrieved, with the required authorization and usage tracking to improve security, increase accountability, and reduce compliance exposure. v-GO Session Manager (v-GO SM): helps avoid security risks that arise from the use of kiosks. It is designed to cater for mobile users, by providing automated termination of inactive sessions and application shutdown. v-GO Provisioning Manager (v-GO PM): handles application credential provisioning automatically; it provides APIs to integrate automatic provisioning with existing workflows and scripts, and connectors to integrate with leading provisioning platforms including those from IBM, Sun, BMC, and Oracle.238 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • v-GO Universal Authentication Manager (v-GO AM): enables authentication requests to be supported by a broad variety of smart cards, biometrics, and tokens. Use of multiple authenticators is supported, including the definition of a fall-back state in the event that one fails. v-GO AM also defines authentication levels so that application-based rights can be adjusted depending on the nature of authentication used. v-GO Self Service Password Reset (v-GO SSPR): provides an additional layer to the normal Windows logon panel for end users – it extends the panel so that the user can reset his or her own Windows password. Integration with Windows authentication and administration ensures that this is controlled within the overall Windows framework.Headquarters EMEA OfficePasslogix, Inc. The City Arc75 Broad Street, Suite 815 89 Worship StreetNew York, NY 10004 London, EC2A 2BFUSA UKTel: +1 (212) 825 9100 Tel: +44 (0)20 79172754Fax: +1 (212) 825 0326Ping IdentityCompany profilePing Identity provides organizations with commercial IAM solutions and is primarily focused on the areaof Federated Identity. Founded in 2002, and headquartered in Denver, Colorado, Ping is a privately heldcompany and has over 100 employees worldwide. The company also has offices in Boston,Massachusetts and Vancouver, Canada. Its current customer base is over 350, and includesenterprises, government agencies, software-as-a-service (SaaS) vendors and online service providersworldwide.Product descriptionPing Identity’s software comprises of products that cater for the various Federated Identity Managementstandards (SAML, Liberty ID-FF, and WS-Federation), and the CardSpace authentication module. PingIdentity has two key solutions namely: PingFederate and PingConnect, and both these solutions helporganizations overcome IAM related issues for their SaaS implementations.PingFederate provides organizations with a standards-based software solution that enablesmanagement of all external identity connections. Supported connections could range across customers,SaaS or BPO providers, partners, affiliates, etc. The solution helps organizations to implement webSSO and identity-enabled web services connections. It also provides multi-protocol support andautomated user provisioning capabilities. The key capabilities of PingFederate include: Web SSO – PingFederate allows users to sign on only once at the primary network access point. Based on this users can seamlessly achieve access across other authorized web-based business applications without necessarily requiring additional password authentication. PingFederate also automates internet user account setup, update, and removal services, with the intention of eliminating unauthorized access. Its Advanced Security Token Service capabilities are used to enhance identity sharing across security domains in a secured manner. PingFederate also supports identity mapping, account mapping and account linking. PingFederate also provides flexible, integrated support for all versions of the SAML protocol (1.0, 1.1 and 2.0), as well as WS-Federation. User Provisioning – PingFederate has the capability to directly integrate with all existing corporate directories to automate the lifecycle elements of account creation, updating, and deletion.PingFederate allows administrators to control identity management through the GUI-basedadministration console. The console can be accessed by users based on their roles, thus limiting certainspecific tasks to selected users. Authenticated access to the Administrator Console can be configuredby directly linking with the LDAP data store and can optionally be secured using X.509 certificates. CHAPTER 8: VENDOR PROFILES 239
  • PingConnect – The PingConnect solution manages the integration of an organization’s existing user identities, which are typically within Microsoft’s AD, or another LDAP repository, with any of over 60 leading SaaS offerings (e.g. Salesforce CRM, Google Apps, ADP, Cisco WebEx, Rearden Commerce, and Concur). PingConnect is cloud-based and, very importantly, provides dynamic integration with the main identity source (whether this is on AD, another LDAP source, Google, or salesforce.com). This means that no replication of the customer organization’s user identities is required (avoiding privacy issues), new users can gain access instantaneously, and users leaving the organization are immediately prevented from continuing to use their access rights. A user’s log-on from salesforce.com or Google can also be the key used to access these services, a feature that is especially helpful for smaller organizations, many of whom have adopted SaaS-based offerings as their main IT platform for significant business processes such as sales and collaboration. Denver (Headquarters) Boston 1099 18th Street 230 3rd Ave Suite 2950 6th Floor Denver, CO 80202 Waltham, MA 02451 USA USA Tel: +1 (303) 468 2900 Tel: +1 (781) 373 4850 Fax: +1 (303) 468 2909 Fax: +1 (781) 547 4017 www.pingidentity.com Pirean Company profile Founded in 2002, and headquartered in United Kingdom, Pirean delivers technology partnerships and consultancy services for Infrastructure, Service and Security Management platforms utilizing IBM technologies. The company is privately held and has 70 employees. Pirean is ITIL compliant, with all staff qualified to ITIL foundations level; the company also has accredited consultancy status with the British Standards Institute (BSI). Pirean’s accolades include the IBM ‘Business Partner Innovation Award’ (2008) ‘Beacon Award Finalist – Outstanding Service Management Tivoli Solution’ (2009) and the IBM Tivoli Business Partner Service Management Solution Award (2010). Product description Pirean’s Access: One provides identity, access and audit management for multiple systems, infrastructures and security services. Access: One is a zero-touch user management system for seamless integration with the existing user repositories and access controls. It removes the need for organizations to provision and synchronize with a separate access management module. Access: One also supports a range of authentication mechanisms and user repositories, including support for real-time user authentication, irrespective of the number of multiple authentication sources required (for example multiple AD occurrences and Windows Domains). It supports the management of all authentication and authorization definitions and policies through a centralized management console. The product also allows organizations to add SSO capabilities which can be strengthened through a range of additional secure, multi-factor authentication mechanisms. The Access: One solution also supports extending Tivoli Access Manager (TAM) infrastructures across other IAM solutions such as ActivIdentity, Cryptomathic, Entrust, Gemalto, RSA, Vasco, and VeriSign utilizing out-of-the-box accelerators. Compliance: One is a continuous controls monitoring solution. It is largely seen as a solution that can be used to extend IBM TIM deployments for large scale production environments, as it provides automation of all business controls. Pirean claims that the company is the most accredited IBM Tivoli business partner and its Access: One product is available ready for all IBM Tivoli implementations. Compliance: One complements Access: One deployments, and consists of a risk-based framework and an attestation engine that allows organizations to flexibly and readily monitor and manage all user access rights across the enterprise.240 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • Compliance: One allows application access roles to be defined, and provides an easy-to-use interface forhandling access rights, certification tasks, and SME-based certification. The product also providesorganizations with the ability of generating reports on user access data. It is also capable of identifyingthose accounts to which there is no associated owner and marks them as high risk which can result in theinitiation of a quarantine workflow and account de-provisioning. Using the product’s rules engine allowsorganizations to implement a risk scoring framework to support access and user provisioning decisions.Hampshire (Head Office) London OfficePirean Limited Pirean LimitedFaretec, Cams Hall Estate One Canada SquareFareham, Hants, PO16 8UY London, E14 5DYUK UKTel: +44 (0)845 2260542Fax: +44 (0)845 2262742Red HatCompany profileRed Hat is a provider of open source software solutions for enterprise. These include the core enterpriseoperating system platform – Red Hat Enterprise Linux; the enterprise middleware platform – JBossEnterprise Middleware; virtualization solutions, and other Red Hat enterprise technologies. The companyoperates primarily in the US, is headquartered in Raleigh, North Carolina and employs 2,800 people.Red Hat made a series of acquisitions before entering the IAM marketplace; these include Netscape’sDirectory Server and Certificate System from AOL in 2004, based on which Red Hat open sourced thedirectory server in 2005 and the certificate server in 2008. These two projects form the foundation ofthe FreeIPA (identity, policy, audit) project, launched in June 2007 and are responsible for building thecommunity edition of Red Hat Enterprise IPA (RHE-IPA), which was launched in June 2008, with thecore objective of building a full grown IAM solution.RHE-IPA’s launch overlapped with another acquisition; this time of the identity integration provider –Identyx, and the open sourcing of RHN Satellite. RHE-IPA is focused on providing a holistic IAM solutionthat covers both Web-based systems (such as a customer-facing portal) and Operating Systems. Froman OS point of view, it aims to replace the standard Network Information Service (NIS) Unix tool (tomanage user, group and machine authentication and authorization), hence the acquisition of Identyx,whose open source Penrose virtual directory helps users to migrate from NIS to the more robust,feature-rich (and revenue generating) RHE-IPA. Penrose helps to identify and resolve conflicts andenables a phased migration rather than a ‘big bang’ approach.FreeIPA’s initial version was focused on pure identity management and authentication. It consisted of anMIT Kerberos 5 server combined with a Fedora directory server back-end to set up a centralized identitymanagement solution, using the directory as the username and password store and Kerberos forauthentication and SSO. RHE-IPA also included features such as multi-master replication and support foronline backups, updates and configuration changes to ensure that RHE-IPA services are available on a24×7 basis. FreeIPA reached version 1.2.1 in December 2008; and its next release (Version 2.0) is aimedat enabling administrators to centrally manage a broad set of functionalities (such as access control policy,SE Linux policy, etc.) and apply different policies based on machine group, location, user and more.Version 2 will also focused on delivering support for delegated administrator controls and centrallymanaged system lockdown state. For auditing, this version is expected to provide organizations with theability to centrally collect and analyze logs and events and extract management and compliance data.Product descriptionRed Hat’s venture into the identity and access management arena is based on the FreeIPA (Identity,Policy, and Audit) also known as Red Hat Enterprise-IPA offering. FreeIPA is basically a Red Hatsponsored open source project that helps organizations manage identity, policy and audit (IPA) informationthrough its integrated suite. It is primarily targeted towards networks of Linux and UNIX computers. CHAPTER 8: VENDOR PROFILES 241
  • Red Hat Directory Server: is an LDAP-compliant server that helps centralize all user profiles, group data, policies, access control information, and related application settings, under a single network- based registry. This single repository store of all policies and access information ensures that administrators can rely on a single directory and single authentication source for all user access across enterprise or extranet applications. The Directory Server supports SSO access and also provides support for 64-bit Red Hat Enterprise Linux, HP-UX and Solaris platforms. Red Hat Certificate System: provides a security framework that works towards managing certificate creation, renewal, suspension, and revocation activities. It also manages single and dualkey X.509v3 certificates that are required to handle strong authentication, SSO, and secure communications. The Red Hat Certificate System functions as an authentication system that helps organizations manage user access to resources and data. The Certificate system supports deploying and maintaining a PKI that helps manage user identities in an effective manner. The system can also integrate seamlessly with third-party security software and existing applications through published APIs. FreeIPA/RHE-IPA are Linux- and Unix-centric, which somewhat limits their appeal among end-user customers. In terms of provisioning, while Version 1 of the product provides basic Microsoft AD synchronization (user identity information and, optionally, password); Version 2 will enable identity management and authentication from one environment. Merging the product with Penrose also makes it even more flexible for RHE-IPA to deliver a unified view of identity across multiple sources, including LDAP, NIS, AD and other databases. The offering also links with JBoss workflow technology, strengthening its overall ID provisioning capabilities. Red Hat Corporate Headquarters Red Hat EMEA Headquarters 1801 Varsity Drive Technopark II, Haus C Raleigh, North Carolina 27606 Werner-von-Siemens-Ring 11-15 USA 85630 Grasbrunn, Germany Tel: +1 (919) 754 3700 Tel: +49 89 205 071 0 Fax: +1 (919) 754 3701 Fax: +49 89 205 071 111 www.redhat.com SailPoint Technologies Company profile SailPoint provides identity governance solutions. Founded in December 2005, the company is privately held and is headquartered in Austin, Texas. Its investors include Austin Ventures, Lightspeed Venture Partners, Origin Partners, and Silverton Partners. Its customers include Global 1000 and Global 500 companies including five of the world’s top 10 banks, three of the industry’s top insurance companies, two of the top three managed-healthcare providers in the US, and some of the largest consumer, manufacturing, and telecom companies in the world. Reference customers include ABN Amro, Allianz SE, Brightstar, Burlington Northern Santa Fe Railroad, Citizens Bank, Intuit, and Tokyo Electron. Product description SailPoint Identity IQ v4.0 is a risk-based identity-governance solution for managing user access to critical business systems and the data that they contain. It uses a single-repository approach, to consolidate identity and access data into a single location, and provides extensive reporting services. Associated capabilities include the formalization and automation of key identity and access management processes such as access certification, role management, access request management, and compliance management. Also included are tools for modeling the organizational hierarchy and for defining roles that will be used to classify access rights. SailPoint IdentityIQ comprises four key components: IdentityIQ Identity Intelligence: facilitates the transformation and consolidation of all technical and application-specific identity data items into a form that is suitable for business users. It allows organizations to link their application-specific identities and access privileges. The dashboards can be further customized to enable authorized users to access reports according to identity-related metrics. The Identity Intelligence module also provides risk analytics and monitoring capabilities.242 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • IdentityIQ Compliance Manager: delivers automated compliance processes and is an integrated part of the solution’s risk services. Two key sets of tasks can be executed through the Compliance Manager: the automation of processes and the receipt of reports and alerts related to the compliance status of the organization and all related systems-usage activity. Importantly, Compliance Manager is used to define and enforce policies that are based on organizational needs as opposed to technology constraints; the Compliance Manager automatically scans and detects policy violations and supports defined separation-of-duty policies based on roles and access privileges. IdentityIQ Role Manager: provides automated role lifecycle management. It enables a defined, automated, and technology- and application-agnostic approach to the creation, modification, and deactivation of roles. IdentityIQ Access Request Manager: centralizes the management of all access requests by providing a workflow-based self-service interface that automates the approval process once a request has been submitted. IdentityIQ self-service interfaces provide business users with a filtered option that allows them to modify or request certain types of access according to roles and policy.IdentityIQ uses its aggregation and correlation engine to associate and bring together all linked datausing a rules system, which stores the data in ‘identity cubes’ – a multi-dimensional representation ofeach user offering insight into their attributes, business roles, and access rights. The aggregated datais used to build a complete organizational picture of who has access to which systems and applications,and the levels of access provided for each application.The solution defines risk levels for every user based on their access rights and how they are beingused. For example, a user with privileged access to applications that hold identifiable customer oraccount information could be flagged as a high-risk user. IdentityIQ also provides a graphical userinterface for defining roles that is equipped with modeling tools to map complex organizationalhierarchies and other business structures. The volume of business and user-relevant informationavailable through reports is extensive, and the its Business Context Framework extends its reportingfacilities to provide an entitlement glossary and usage tips.SailPoint Technologies Inc. SailPoint Technologies Inc.US/Corporate Headquarters European Headquarters6034 W Courtyard Drive 145-157 St John Street, 2nd FloorSuite 309 Austin LondonTexas 78730 EC1V 4PYUSA UKTel: +1 (512) 346 2000 Tel: +44 (0)845 2733826Fax: +1 (512) 346 2033Email: info@sailpoint.comwww.sailpoint.comSAPCompany profileSAP is a recognized leader in the enterprise application market, having established its reputation on theback of its integrated R/3 Enterprise Resource Planning application suite. It is headquartered inWalldorf, Germany, and was founded in 1972. The company has sales and development locations inover 50 countries, and approximately 51,000 staff serving around 82,000 customers in 120 countries.Although SAP states that over 80% of Fortune Global 500 enterprises use its products, and largeenterprises form a substantial part of its market, the company is increasingly targeting the mid-market.SAP is known for its process expertise, particularly in vertical industries, and has solutions for 25different industries ranging from aerospace and defense to wholesale distribution. SAP is a publicallylisted company trading on multiple exchanges including the Frankfurt Stock Exchange and the NewYork Stock Exchange under the “SAP” symbol. CHAPTER 8: VENDOR PROFILES 243
  • Product description The NetWeaver Identity Management suite (SAP NetWeaver IdM) is SAP’s solution for managing user access across applications and for monitoring adherence to audit and compliance requirements. SAP NetWeaver IdM uses a role-based mechanism for provisioning users, and also supports all related processes such as password management, self-service, and approvals workflow. All of SAP NetWeaver IdM’s capability is delivered as an integrated, open platform component which easily facilitates all of the access and identity information that is appropriately linked with systems, web services, and business processes. Also, the product is capable of working not just with SAP applications – it integrates with systems and applications across a heterogeneous landscape. The major capabilities of SAP NetWeaver Identity Management include: Identity virtualization – provides an integrated, unified view of all users’ virtual identity, allowing organizations to leverage existing identified identity information and access rights across the entire network. Data synchronization – ensures that if the user makes any changes to key information in one application, this is transformed and propagated accordingly to all other related applications as well, thus ensuring data consistency. Provisioning, workflow, and approvals – is driven by business rules and definitions of associated policies. It aligns with access controls and maintenance of user access rights across the systems. SAP NetWeaver Identity Management streamlines the user provisioning process across SAP as well as other third-party applications through a certifiable connector framework. This connector-based framework enables the product to support LDAP directories and JDBC databases, it supports applications such as Microsoft AD, Microsoft Exchange, and IBM Lotus Notes. SAP Netweaver IdM uses a workflow module that enables organizations to set up workflows for all account management activities which includes account creation, modification, deactivation, and deletion. Password management – is key feature of SAP Netweaver IdM, it provides self-service software that allows users to manage their information through a centralized location for all connected target systems. It also supports self-service password reset and password synchronization capabilities. Roles and entitlements – SAP NetWeaver Identity Management offers role-based access control based on the NIST RBAC standards. Roles are assigned in alignment with business processes and users can be assigned roles and privileges which enable secure access to various systems. Reporting and auditing – the product provides centralized reporting services. These enable users to produce reports based on current access and past events. The reports enable organizations to handle compliance, audit, and related initiatives. All product activities are managed centrally through the identity console, and NetWeaver IdM also includes a Web-based Workflow user interface that allows users to reset their password and perform other self-service activities. The solution also has a monitoring interface allows administrators to monitor logs and queue processing. It provides the ability to integrate with SAP Business Suite applications as well as SAP Business Objects GRC solutions. SAP provides advanced identity management functionality services that are completely based on web services standards. They provide a standards-based single access point for users to query and manage identity information. SAP AG – Parent Company SAP (UK) Limited Neurottstrasse 1569190 Clockhouse Place, Bedfont Road Walldorf, Germany Feltham, Middlesex, TW14 8HD, UK Tel: +49 6227 7 47474 Tel: +44 (0)870 6084000 Fax: +49 6227 7 57575 Fax: +44 (0)870 6084050 Email: info@sap.com Email: info.uk@sap.com www.sap.com244 IDENTITY AND ACCESS MANAGEMENT 2011/12
  • SentillionCompany profileSentillion Inc. provides identity and access management solutions primarily for healthcareorganizations. It has systems deployed in local, regional, and national healthcare organizationsincluding clinics, community hospitals, federal healthcare facilities, and academic teaching institutions.In February 2010, Microsoft acquired Sentillion. All Sentillion’s products have since been added to theMicrosoft’s portfolio of health solutions and the team has been merged into the Microsoft HealthSolutions Group. The Sentillion team will however continue to operate out of its offices in Andover,Mass., to sell and support its product line while Microsoft will be developing long-term evolution planscombining the two product lines. Sentillion’s context management and SSO technologies will becombined with the Amalga Unified Intelligence System – a real-time data aggregation solution, toenable Microsoft to give clinicians a real time insight into patient information.Product descriptionSentillion solutions provide SSO, user provisioning, clinical workstations and virtualized remote access.Sentillion’s expreSSO is an appliance-based SSO solution developed specifically for the healthcaresector. It offers out-of-the-box integration options with common applications within the healthcaresector, and offers wizard-driven application connectors to enable integration with other third-partyapplications. It automatically imports user identity data and provides ongoing synchronization withenterprise directories like LDAP and AD. A centralized administration console leverages agent-basedtechnology to sense when applications are launched and generates events and audit trails thatencapsulate user activity around these applications. expreSSO offers tight integration with SentillionTap & Go, a tool that leverages proximity cards to provide secure two-factor authentication. This meansthat users can swipe their company ID cards against a card reader, and combine with it a biometric orpassword-based authentication device that has a validity period, to gain access to areas of theclinic/hospital that they are authorized to enter. Once the validity period expires, it can be reset throughexpreSSO to continue to get access to protected areas.Sentinel proVision is the company’s provisioning tool developed specifically for the healthcare sector. Itoffers capabilities to simplify the task of provisioning users with access to computer resources. Itsupports healthcare-specific applications such as Computerized Physician Order Entry, PictureArchiving and Communications System, and their portals; administrative applications such as billingand enterprise directories; and personal productivity applications such as e-mail.The Sentillion IdMPOWER Community is a member community for users of the Sentillion range ofproducts and provides access to an online knowledge base of best practice deployment options,troubleshooting guides, FAQs and articles. The IdMPOWER Community also contains an open sourcebridges library that provides a number of software adapters for healthcare applications that are notsupported out-of-the-box by Sentillion.Headquarters UK OfficeSentillion, Inc. Sentillion Limited40 Shattuck Rd. 3000 Hillswood DriveSuite 200 Hillswood Business ParkAndover Chertsey, SurreyMA 01810 KT16 0RSUSA UKTel: +1 (978) 689 9095 Tel: +44 (0)845 0570302Fax: +1 (978) 688 2313 Fax: +44 (0)845 0570312www.sentillion.com CHAPTER 8: VENDOR PROFILES 245
  • Siemens Company profile Siemens IT