Identity Management: What Solution is Right for You?

C D H

C D H Identity Management

April 21, 2010

C D H Quick Facts

About Us • 20th Year

• Grand Rapids & Royal Oak

• 25 Staff

Approach • Vendor Agnostic

• Non-reseller

• Professional Services Only

Partnerships

• Microsoft Gold

• VMware Enterprise

• Cisco Premier

• Novell Platinum

• Citrix Silver

C D H

Infrastructure

Access & Identity Management

Expertise

Project Management

Collaboration

3

P

I

C

A

C D H Overview

• Specific focus on enterprise identity

management

– SMB session to be offered later

• Discussion about what identity

management is and what it involves

• Project Approach and Planning

• Market Capabilities and Trends

• Vendor Comparisons and Overviews

C D H What is Identity Management?

• User account creation, management, and

cleanup

• Attribute synchronization

• Password synchronization

• Password self-service

• Delegated Management

• Role Management

• Single Sign On

• Privileged User Management…..

C D H What Identity Management Is Not

• Not a replacement for application/system

management tools (though it can minimize

the need to use them)

• Not a primary security enforcement tool

(though it can help)

• Not simple

• Not cheap

• Not able to solve world hunger

C D H Approaches

• Rule based account sync

– Very common first initiative

– Actions based on established rules

• Roles based provisioning

– Role mining/analysis

– Enterprise role modeling

• Workflow system

– Electronic forms and processes

– Doesn’t require systems to be connected

C D H Balanced Approach

C D H Services Infrastructure

C D H Initial Approach

• Get management buy in

• Analyze systems, applications, and

processes across business units

• Determine the pain points

• Determine the points of greatest risk

• Determine compliance requirements

• Determine desired process improvements

• Review current skill sets

C D H Vendor Selection

• Determine most suitable vendors

– Previous analysis as basis

– License agreements/Pricing

– Granular yet scalable

• Demo/POC environment

– Get the vendors/partners (wink-wink) to help

– Most can be completely virtual

C D H Vendor Selection Continued

• Exercise/test/play

– Feed it samples of current data

– Build representative roles

– Involve other business units

• Helpdesk, HR, others

• Workflow interaction

• Role management and assignment

C D H Common Mistakes

• Taking on too much at once

– Important to take it slow at first

• Failure to get upper management buy-in

– Business processes will change

• Scope creep

– “Let’s add this one simple application”

• Allowing requirements to go unchecked

– Contributes to complexity and scope creep

• Not taking the exceptions into account

C D H More Common Mistakes

• Not changing business processes

– Too many implementations just automate bad

processes

– Use the opportunity to revise processes

• Expectation of immediate ROI

– Initially many processes may be duplicated for

a time

• Failure to establish full testing plans

– Automated testing preferred

C D H More Common Mistakes

• Using the existing NOS directory as the

central ID repository

– AD/eDir is a file, print, and workstation

management directory

– It should be treated like all other connected

apps/systems

• Collapsing too much to a single directory

– Allow apps to have their own directory

– IDM allows easy management of separate

directories

C D H

C D H Market

C D H Market Trends

• User provisioning almost becoming a

commodity – everyone does it

• More emphasis is being placed on Roles

and Governance, Risk, and Compliance

(GRC) management

• Data Leak Prevention (DLP) integration

becoming more commonplace

• Organizations tending to more look at IDM

holistically

C D H Market Trends

• Wizards, web GUIs, business process

mapping tools, and “codeless” capabilities

are reducing implementation times

– Time to take a 2nd look

• Greater integration with partnering

technologies from other vendors

– Role management products

– SSO products

• Many acquisitions changing the landscape

C D H Roles

• Typically have multiple levels

– Business roles

– Permission roles

• Entitlements/resources typically assigned

to roles

• Some can be 100% based on attribute

values

• Most should allow manual assignment with

approvals

C D H GRC

• What is it?

• Governance

– Establishing role and entitlement policies

• Risk

– Assigning risk factors to roles and entitlements

• Compliance

– Preventing unjustified access and proving it

C D H GRC Example

• Risk levels are assigned to roles and

entitlements

• Increased scrutiny and monitoring applied

to higher risk roles and entitlements

• The risk levels of the roles and

entitlements assigned to a person add up

to a threat level

• Increased scrutiny and monitoring of the

user result from the increased threat level

C D H

C D H Vendor Comparisons

C D H Vendor Grid

C D H Enterprise Role Management

Market (Forrester)

Forrester Enterprise Role Mgmt - Feb 09

C D H Enterprise Role Management

Market (Forrester)

Forrester Enterprise Role Mgmt - Feb 09

C D H User Provisioning

C D H

C D H Vendor Overviews

C D H Microsoft

• New release – FIM

• Still way behind in the market, FIM won’t

significantly change this

• Still may be an easy choice for MS shops

with limited needs

• Can be cheaper than other solutions, but

not on an apples-to-apples comparison

• MS has stated that they want to become a

leader in the market – will take much work

C D H Sentillion

• Acquired by Microsoft

– Still trying to figure out how to best integrate

the technologies

– Some of the technologies directly compete

with FIM – what’s going to win?

• Healthcare focused

– Almost exclusively

C D H Novell

• Continues to fight the “bad” reputation of

their name

• No concern over Novell’s viability

• Extraordinary capabilities with limited

coding requirements

• Offers unparalleled platform flexibility

• IDM 4 brings strong new capabilities to the

mix – “game changers”

C D H Courion

• A strong suite of powerful products

• Focused specifically in identity

management technologies

• One of the earliest to offer SharePoint

integration & management

• Establishes partnerships and provides

tight integration

• Excellent rogue account management

C D H Oracle/Sun

• Much FUD about what the merger actually

means, not all is undeserved

• Some integration has already occurred

– Sun products being rename to Oracle xx

• Highly capable solutions

• Deep development requirements

– Do you have dedicate Java developers?

– You’ll need more

C D H IBM

• Shares top tier rating

• Part of the Tivoli suite of products

• XPRESS for simpler implementation

– XML based

• Like Oracle/Sun, requires pretty deep

development for more complex

functionality

• Aggressive product pricing in IBM shops

C D H CA

• Recently acquired Eurekify, an excellent

role mining and management vendor

• Uses Policy Xpress (sound familiar?) to

simplify policy “development”

• GUI workflow designer tool

• Also fights a bad rep at times

• Tends to ignore smaller engagements

C D H Other Vendors

• Too many to list!

• A number build on Microsoft solution

• Some show much promise

– EmpowerID from The Dot Net Factory

C D H

C D H Solution Similarities

C D H Commonalities

• Centralized identity repository

– Identity Vault

– Metaverse

– ID Store

– LDAP

• XML

– Config and settings files

– Transaction documents

– Rules and policies

C D H Common Claims

• Agent-less

– Usually means limited (AD API vs LDAP)

– MUST have an agent (client or server) for

password sync from an app/system

• GUI Builders and Wizards

– Meant to simplify development

– Provide for basic functionality

– Sometimes don’t go far enough (how do you

extend?)

C D H

C D H C/D/H IDM Perspective

C D H C/D/H Experience

• We help determine what IDM solution set

and vendor is best based on the

organization

– Sync, SSO, reporting, monitoring

– Existing relationships, budget, scope, skills

• Clients from 250 to 250,000 users

• Medium-large focus

– Most clients in the 3,000-8,000 user range

C D H C/D/H Experience

• Few in-house developers

– Well established developer relationships

utilized when needed

– Focus more on business process planning

• We like solutions requiring minimal

development

– Microsoft

– Novell

– Courion

C D H C/D/H Experience

C D H C/D/H Experience

C D H

Royal Oak 306 S. Washington Ave.

Suite 212

Royal Oak, MI 48067

p: (248) 546-1800

Thank You

Grand Rapids 15 Ionia SW

Suite 270

Grand Rapids, MI 49503

p: (616) 776-1600

(c) C/D/H 2007. All rights reserved www.cdh.com