Information Security - IAM Strategy

Technology Evaluation and Comparison Report

Part of the Datamonitor Group WWW.OVUM.COM

Identity and Access

Management

2011/12 Delivering essential business protection and

compliance

Butler GroupIncorporating

OVUM

Research

Andy Kellett

Graham Titterington

Nishant Singh

Somak Roy

Acknowledgements

Maxine Holt

Tim Gower

Tim Jennings

Important Notice

We have relied on data and information which we reasonably believe to

be up-to-date and correct when preparing this Report, but because it

comes from a variety of sources outside of our direct control, we cannot

guarantee that all of it is entirely accurate or up-to-date.

This Report is of a general nature and not intended to be specific,

customised, or relevant to the requirements of any particular set of

circumstances. The interpretations contained in the Report are non-

unique and you are responsible for carrying out your own interpretation

of the data and information upon which this Report was based.

Accordingly, Ovum is not responsible for your use of this Report in any

specific circumstances, or for your interpretation of this Report.

The interpretation of the data and information in this Report is based on

generalised assumptions and by its very nature is not intended to

produce accurate or specific results. Accordingly, it is your responsibility

to use your own relevant professional skill and judgement to interpret

the data and information provided for your own purposes and take

appropriate decisions based on such interpretations.

Ultimate responsibility for all interpretations of the data, information and

commentary in this Report and for decisions based on that data,

information and commentary remains with you. Ovum shall not be liable

for any such interpretations or decisions made by you.

Published by Ovum

Published January 2011© Ovum

All rights reserved. This publication, or any part ofit, may not be reproduced or adapted, by anymethod whatsoever, without prior written Ovumconsent.

Artwork and layout by Karl Duke, Steve Duke,and Jennifer Swallow

Part of the Datamonitor Group

Enterprise IT Knowledge Centre At the heart of the new service are more than 150 ICT analysts from the former Ovumand Butler teams. They provide deep insight into both vertical and horizontal businesstechnology, delivered through best-in-class research and analysis. To their insights, weadd the expertise of Datamonitor’s 350 business analysts. It is this combination thatmakes the new Ovum IT service especially valuable to clients: by integrating the threeteams, we can offer unique insight into the opportunities and issues facing you and yourcustomers, and dispense invaluable advice to help you create an effective technologystrategy – a process that we describe as Collaborative Intelligence.

Our comprehensive research agenda spans the full IT investment lifecycle. Our analysisand advice help you to create the optimal technology investment portfolio for theorganisation, select and implement the appropriate solutions and services, and managethose investments to realise the desired business benefits. Our coverage ranges frominsight into industry-specific business processes and analysis of vendor markets,through to radical opinion on disruptive technologies and best-practice ITimplementation guides. Here we present thought-leading research and strong examplesof Collaborative Intelligence in action, and we look forward to working in partnershipwith enterprises globally.

For more information, please contact Mike James on +44 1482 608380 [email protected]

Chapter 1: Management summary 9

1.1 Management summary 11

1.2 Report objectives and structure 17

Chapter 2: Business and technology issues in IAM 19

2.1 Summary 21

2.2 Identity and access management projects are large-scale investments 21

2.3 Business processes need to be overhauled 25

2.4 Cloud services add urgency to the need to federate identities between organizations 26

2.5 The vendor landscape has been rationalized 28

2.6 Recommendations 29

Chapter 3: Identity and access management and compliance 31

3.1 Summary 33

3.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance 34

3.3 Regulatory compliance has a demanding impact on most organizations 35

3.4 Audit adds urgency to the need for a better IAM infrastructure 39

3.5 Continuity and the lifecycle approach to managing identity delivers business value 40

3.6 Everyone needs to be accountable 41

3.7 Achieving and proving compliance is a key business objective 43


Chapter 4: Identity services in the cloud 45

4.1 Summary 47

4.2 The need for an internet identity is now recognized 48

4.3 Several levels of identity assurance are needed 50

4.4 Legal and commercial issues are still of paramount importance 53

4.5 Technology is being developed for internet identity 55


Contents

CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 33

Identity and Access

Management 2011/12

Chapter 5: Federated identity 59

5.1 Summary 61

5.2 Organizations can benefit from using a federated approach to identity management 62

5.3 Drawing up clear rules of engagement is important 64

5.4 Making better use of standards is the way forward 67


Chapter 6: Technology comparison 73

6.1 Summary 75

6.2 IAM Features Matrix 76

6.3 IAM Decision Matrix 113

6.4 Vendor Analysis 116

Chapter 7: Technology Audits 131

CA – CA Identity and Access Management Suite 133

Entrust – Entrust IdentityGuard, GetAccess, & TransactionGuard 143

Evidian – Evidian IAM Suite (version 8) 153

Hitachi – Hitachi-ID Portfolio 163

IBM – IBM Tivoli Identity and Access Management Products 173

Microsoft – Microsoft Forefront Identity Manager 2010 and Associated Products 185

Novell – Novell Identity Manager 4 Advanced Edition 195

Oracle – Oracle Identity and Access Management Suite – Release 11g 205

RSA (The Security Division of EMC) – RSA Identity & Access Management 215

Contents – Continued


Chapter 8: Vendor profiles 225

ActivIdentity 227

Aladdin (SafeNet) 228

Avatier 229

Aveksa 230

Beta Systems 231

BMC 232

Courion 233

Cyber-Ark 234

Fox Technologies 236

Imprivata 237

Passlogix 238

Ping Identity 239

Pirean 240

Red Hat 241

SailPoint Technologies 242

SAP 243

Sentillion 245

Siemens 246

WSO2 247

Chapter 9: Glossary 249

Chapter 10: Appendix 259

Contents – Continued



WWW.OVUM.COM

CHAPTER 1:

Management summary


OVUM

CHAPTER 1: MANAGEMENT SUMMARY 1111

1.1 Management summary

Catalyst

Identity and access management (IAM) has become an essential part of the IT infrastructure formedium- to large-scale organizations. Its benefits of productivity and policy enforcement havebeen understood for some time, but it was widely regarded as a technology that was too hardto deploy. There is now wider agreement on standards and a much better understanding of howto conduct a successful project. At the same time the business case is becoming morecompelling as the scale of automated interoperation with entities outside the enterprise grows,including the growing use of cloud services.

Ovum view

Identity and access management must be approached as a business issue and designed aroundbusiness processes. It is fundamentally about how the organization works with its people and with otherorganizations. IAM projects must be approached with a comprehensive and long-term vision, but it isbest to implement it incrementally in phases, each with a clearly defined business benefit. The totalinvestment will be large, but many parts of the process can be expected to pay for themselves inmonths. While extensions to the project can be expected to deliver lower rates of return than the low-hanging fruit addressed by the early stages, the overall project should still represent a good investmentas there is no requirement to implement the full vision in one project.

The role of IAM

What is IAM?

IAM is the discipline of determining policies for who has access rights toinformation assets in an organization, the issuing of these rights, and theimplementation of the consequent access controls. It is at the heart ofinformation protection, and of compliance programs with all regulations thatcontrol access to information.

Historically IAM was limited in scope and delivered as a function of operating systems. It has emerged asboth a business concern, and a broader field of technology, as business IT systems have developed froma collection of siloed systems into a complex network of interconnected systems, which are connected tosystems in partner organizations and to customers, employees and other users across the Internet. Thecomplexity of managing large numbers of users on multiple systems requires an automated and process-driven system to satisfy both the efficiency and security needs of the organization.

Key findings:

� IAM projects require upfront and continuous high-level business sponsorship.

� Address pain points first and deliver significant and quantifiable benefits to demonstrate the valueof the approach.

� Federation of identities between collaborating organizations has been enabled by generalacceptance of the main standards, including the WS-* family and Security Assertion MarkupLanguage (SAML) assertions.

� Use of cloud services creates an important application for IAM.

� IAM is an essential tool in delivering compliance and protecting information.

� Business may soon be able to connect to Internet identity services that will be useful forauthenticating people outside the organization.

IAM is the discipline

of determining

policies for who has

access rights to

information assets

in an organization...

Cloud services require IAM

The adoption of cloud services by organizations places greater urgency on the need to deploycomprehensive IAM systems. When valuable information is placed in a cloud, the access controls tothe system become the only protective layer for that information. It is therefore essential that the accesscontrols to the cloud service are maintained in a state that is consistent with the corresponding accesscontrols in the data center. The cloud service provider can and should be seen as a business partner.

IAM must recognize the diversity of users

Mobility, whether between workstations within a building such as a hospital or factory, or betweenworking locations, requires IAM to provide an easy to use and consistent user experience.

Automated processes, extending beyond the enterprise walls, require a pervasive access controlmechanism that recognizes corporate entities and other processes as having equivalent access controlneeds to those of human users.

Business issues

The business case

IAM is a key issue for the business. Implementing a system represents a major investment and itsdeployment will require changes in business processes to capitalize on its benefits. However,successful projects provide a high return on investment and a payback period of less than two years isfrequently achieved. IAM is a useful, if not absolutely essential, tool for satisfying the more demandingregulatory and compliance requirements. It provides the audit and reporting functions to determine, witha high level of confidence, who has done what with critical information.

The business benefits of IAM come in two main categories: productivity/ease of use, and security. Inthe efficiency category, we can list:

� Reduced cost of administration due to automated approval processes, synchronization ofpermissions, and user self-service functions, including password resets that typically account for25% of IT help-desk workloads.

� Single sign-on (SSO) to raise end-user productivity by providing quicker access to systems, andreducing the burden on users of having to manage multiple sets of credentials. People who useseveral systems, or work from workstations in multiple locations, can save substantial amounts oftime in a typical day.

� Improved experiences for external users, leading to more business, and better collaboration withbusiness partners.

From a security perspective, good quality and effectively deployed IAM provides:

� Rapid and accurate provisioning and de-provisioning of users, minimizing unauthorized access toinformation and processes.

� The opportunity to adopt more secure forms of identification and authentication, including two-factorauthentication, further enhancing access controls.

� Full audit and logging capability of user sessions on corporate systems.

IAM is a means of implementing business strategy insofar as it relates toinformation processing. The issues of who the business needs to work with,the level of automation that is required in these interactions, and the depthof trust between organizations, are represented in the IAM configurationand deployment. Internal issues also have a major impact on thearchitecture of IAM systems, such as employee mobility, integration of ITsystems following mergers and acquisitions, and the way in whichcompliance obligations are met.

IDENTITY AND ACCESS MANAGEMENT 2011/121122

IAM is a means of

implementing

business strategy

insofar as it relates

to information

processing.

Running a successful IAM project

IAM projects are neither quick nor cheap. It is therefore essential that theyhave the wholehearted support of senior management and that this supportis sustained throughout the project. Project managers can help to sustainthis enthusiasm by adopting a phased approach to the project, with clearlydefined business benefits flowing from each phase. This approach alsominimizes both the technical and business risks, as design errors can be rectified before they becomewidespread.

External identity on the Internet

We are now entering an era in which individuals can call up “Internet identities” that carry a level ofassurance that we do not have with the self-asserted identities that are almost universal on the Internettoday. For the business, this will open up new ways of communicating with customers and others thatdo not have a strong existing relationship with the organization, at a lower cost than pre-registeringthem with the organization. While this prospect is still at an early stage of its evolution, standards worklargely promoted by the US government provides a basis for identity services along with a potentialbusiness and liability model.

Organizational issues

Federation technologies have to align with business relationships

Identity federation technology allows organizations to work together, with individual users beingidentified and held responsible for their actions across all of the collaborating entities. It avoids the needfor replicating user registration in each organization by regarding their employer as the authoritativesource of information about them. It also ensures that any changes in their status are immediatelyapplied across the whole eco-system.

The technologies available for identity federation reflect the business structures to which they areapplied. Traditionally the most deployments have been to a “hub and spoke” model in which the keyorganization federates to several of its partners such as its suppliers or channel partners. This modelalso works well between a company and the subsidiaries it has acquired or created. More complexwebs of collaborating organizations can be supported with “claims-based” networks, and managedservices are appearing to simplify the deployment of federated networks.

Taming the super user

Computers, networks and applications have traditionally been managedthrough an account called “administrator” or “super user”. The requirementfor 24 x 7 operation has led to several people having access to thisaccount. Across a large organization, with thousands of servers andapplications, there has been a proliferation of privileged and effectivelyanonymous accounts. This has created a nightmare for both security andcompliance officers.

A comprehensive IAM suite will provide a means of securing and hiding allsuper user accounts and assigning administrator privileges to the individual users who are authorizedto perform these roles. This ensures that they are monitored and held responsible for all the actionsthey perform in this mode and deals with segregation of duty issues.

The extended enterprise

In addition to integrating the management of partner organizations, IAM helps to define who workswithin an organization. Human resources departments are often only concerned with permanentemployees, whereas IAM systems have to provide for all users. Even the payroll department has norecord of contractors who are paid, directly or indirectly, through the purchase invoice system.


A comprehensive

IAM suite will

provide a means of

securing and hiding

all super user

accounts...

IAM projects are

neither quick nor

cheap.

IAM systems can be integrated with physical access systems, enabling physical and logical access tobe controlled through common credentials and providing an extra channel of authentication bycorrelating system access with physical location. When this approach is adopted, the IAM registrationprocess has to be extended to include all people who are entitled to enter the premises, irrespective ofwhether they use IT systems.

Technology issues

The scope of IAM

IAM systems are technically complex, comprising the following functions:

� enrolment of users

� provisioning/de-provisioning of access rights to users, in accordance with corporate policies

� role management

� routine user administration, including functions such as issuing credentials and password reset

� access approval and revocation processes, and escalation of disputed issues

� identification and authentication of users, including flexibility to adapt authentication to match theappropriate level of business risk; an important part of this function is SSO functionality to a wide arange of resources by a single act of logging in to a workstation

� control of access to all information and process resources according to policy

� reporting and auditing of actions relating to access permissions and access usage

� acceptance of corporate entities and automated processes as “pseudo-users”

� facilitating usage of corporate resources by business partners and customers, according toappropriate policies and controls.

IAM projects are based on IT and process integration

IAM projects are mainly integration projects. The largest parts of the work in an IAM deployment projectare in configuring the system to reflect the business, and in integrating the components of the systemwith the infrastructure of the organization. A major factor in selecting an IAM suite is its fit with theexisting technology in the organization.

SSO requires the IAM system to be integrated with each platform and application that it is required tosupport. Vendors provide connectors to some common applications with their product, while other assetswill require bespoke connectors using APIs. In many cases these can be bought from third parties.

The foundation of every IAM system is one or more corporate directories, and most support ActiveDirectory and any Lightweight Directory Access Protocol (LDAP)-compatible directory. Organizationswill want to automatically move existing user registration information from existing data stores, whichmay be either directories or files. The ability to re-use existing configuration data will significantly affectthe duration and cost of the IAM project.

The task of integrating with external organizations, including cloud service providers, has been madeeasier since the industry moved towards a common set of supported technologies. In particularMicrosoft’s acceptance of claims-based communications, including the use of SAML assertions, hasremoved a major stumbling block to federated working. Integration is a two-way activity and today thelevel of integration offered by cloud service providers is limited, but this situation will improve.

Administration and workflow

Identity administration tasks can be complex, particularly when authorization requires the participationof multiple asset owners. IAM tools should provide a workflow-based configurable process model. It isadvantageous if this workflow engine is open and allows the integration of IAM processes with widermanagement processes, so that provisioning can be seamlessly and automatically incorporated intoother management activities.


Market issues

The market for IAM products has undergone substantial consolidation.While many specialist vendors remain serving individual parts of theproduct spectrum, the number of comprehensive suites is limited. Most ofthe providers are the major IT vendors. They have continued to acquirespecialist vendors to fill gaps in their product range, with the result that theynow have almost completely covered the required range of functionality.They can still be differentiated in terms of how well individual componentsin their suite meet the needs of an organization, but the major area of differentiation is in their level of

integration with the wider IT environment. As the implementation of IAMprojects is largely a consultancy exercise, channel partners are also animportant factor in selecting a vendor.

The emergence of identity provider services on the Internet will provide anew area of opportunity for businesses. However more work needs to bedone to establish a business model for such providers. The value of servicesto the relying parties who will use the services is clear. The only conceivablerevenue model is one in which the relying party pays the identity provider,most probably with a per-use payment. Providers could charge according tothe level of assurance of each identity. One obstacle to the development of

this market is that the main candidates for providing such services are organizations (such as banks) thatdo not see being an identity provider as one of their core business concerns. The other major obstacleis the need for a limited liability model that meets the needs of both sides.

Recommendations

Recommendations for enterprises

Every large, and large-medium, enterprise needs an IAM system to enhance its operational efficiencyand to improve its security and compliance posture. Smaller organizations should review their particularcircumstances.

IAM projects are about business process automation and need to be approached from a businessperspective. IAM deployments need to be carefully planned, and deployed incrementally. Most of themajor vendors provide a comprehensive coverage of the solution space, but some are easier to useand to integrate with existing infrastructure. An IAM project is mostly about integration with the ITinfrastructure and with business processes. These are the areas that need most attention.

Recommendations for vendors

IAM is one of the most strategic areas of corporate IT. Success in the IAM sector will place a firm in astrong position to influence corporate-wide IT policy.

IAM is an essential companion to information protection, and both technologies have enhancedbusiness value when they are deployed together. IAM is never an island, and integration andinteroperability with the wider environment are primary product differentiators. Focus on ease ofdeployment and flexible use.

The Ovum IAM Decision Matrix

The Ovum IAM Decision Matrix explores the competitive dynamics within the IAM security market andis designed to help organizations make informed choices among the leading offerings. It presents aview of the market based on three factors: technology assessment, user sentiment, and market impact.It offers a snapshot view of the market as it stands today, and indicates those vendors that, in Ovum’sopinion, organizations should shortlist, consider, or explore. The results of Ovum’s in-depth researchare summarized in the following table. Vendors are listed in alphabetical order within each category.


The emergence of

identity provider

services on the

Internet will

provide a new area

of opportunity for

businesses.

The market for IAM

products has

undergone

substantial

consolidation.


Rating Company/Solution Ovum Opinion

CA

CA Identity and AccessManagement Suite

CA’s IAM portfolio is among the mostcomprehensive in the IAM space. The company’scurrent IAM positioning focuses on “content awareidentity management”, which incorporates IAM,data loss prevention (DLP), and governance, risk,and compliance (GRC) integration.

IBM

IBM Tivoli Identity and AccessManagement Products

IBM is among the largest and most successfulvendors in the IAM space. Its coverage includesenterprise and web SSO, user provisioning and rolemanagement, password management, accesscontrol, and federated identity managementservices.

Novell

Novell Identity Manager 4Advanced Edition

Novell Identity Manager 4 provides acomprehensive suite of IAM products. Novelldelivers an enterprise-class IAM product set thathas the scalability and high availability required todeal with large, complex, and diverse operatingenvironments. However the company’s marketimpact is significantly lower than that of its maincompetitors.

Oracle

Oracle Identity and AccessManagement Suite (release11g)

Following its acquisition of Sun, Oracle has becomeeven more of a market leader in the IAM space. Ithas a strong presence across all traditional IAMmarkets including financial services, healthcare,and the public sector and its geographic reach isalso extensive. Oracle provides a verycomprehensive set of IAM capabilities with a goodfocus on enabling customer usage across allavailable platforms.

Evidian

Evidian IAM Suite (version 8)Evidian delivers a near-full suite of IAM products.However, the company’s influence remains largelyrestricted to European markets. It provides a goodrange of enterprise and Web SSO, userprovisioning, and access control services, andstrong support for standards and authorities.

Hitachi

Hitachi-ID PortfolioHitachi is not a strong contender in web accessmanagement or the web and enterprise SSOmarkets. It does, however, provide good qualityuser provisioning, access control, and passwordmanagement services, and is respected for itsprivileged user management capabilities.

Microsoft

Microsoft Forefront IdentityManager 2010 andAssociated Products

Microsoft’s impact on the IAM market continues togrow. It is well respected across enterprise and webSSO, user provisioning, password management,access control, and federated identity managementdimensions. It is seen as a low cost provider of IAMtechnology and a supplier that small and mediumenterprises (SMEs) are likely to turn to as their firstIAM provider.

SShhoo

rrttlliiss

ttCC

oonnssii

ddeerr

Continued on the next page...

1.2 Report objectives and structure

Report Guide

The report is aimed at chief information officers (CIOs), chief security officers (CSOs), IT managers,business strategy managers, business analysts, system architects, development managers, and othersenior decision-makers in both IT and the business.

Chapter 2: Business and technology issues in IAM

This chapter summarizes the content of this report and provides a deeper insight into the need foridentity and access management (IAM). It focuses on the delivery of IAM projects, their scalability andcomplexity issues, and the corporate investment required. It addresses the requirement to improvebusiness processes, the need to support the use of cloud-based services and the growing requirementto be able to federate identities between organizations. It also considers the changing vendorlandscape, which continues to be rationalized.

Chapter 3: Identity and access management and compliance

The deployment of IAM is a vital component of any enterprise security strategy. It provides thefoundations for controlling who has access to operational information systems, and as such alignstechnology-based controls with business and operational rules and access policies. Improving theorganization’s security position helps towards achieving regulatory compliance. Domestic, industry-related, and international regulations all have an impact on the actions that companies must now takein order to be compliant. IAM solutions should not be purchased just to help tick compliance boxes.However, the value of the technology to businesses brings together important efficiency improvementssuch as providing streamlined access to systems, delivering efficient user provisioning and rolemanagement services, and providing the ability to accurately control and report on user access rights.

Chapter 4: Identity services in the cloud

Today identity continues to reside mainly in individual websites with little or no interaction between them.Users have to identify and authenticate themselves to each site or service in order to gain access. Also,once users have given personal information to a site, they have no control over how the information willbe used. Site operators have very little confidence in the accuracy of the information they are given. Anidentity infrastructure that works across sites must be based on policy and semantic interoperability. Wealso require standards that go beyond syntactic and semantic levels and embrace business processissues such as assurance, privacy, and liability. They must be both privacy-enhancing and cost-effectivefor both users and website operators. An interoperable identity infrastructure that would be recognizedat multiple websites would provide a major advance towards a truly connected world.


Rating Company/Solution Ovum Opinion

Entrust

Entrust IdentityGuard,GetAccess, &TransactionGuard

Although SSO and provisioning services areprovided by third-party partners, Entrust remains astrong contender in the authentication and fraudmanagement space. It also exhibits good passwordmanagement capabilities.

RSA

RSA Identity & AccessManagement

RSA is the authentication market leader andpartners with Courion for provisioning and rolemanagement. Across security areas adjacent toIAM such as security information and eventmonitoring, DLP, and GRC, RSA is strong andactive. However, the growth in its overall IAMcapabilities has failed to keep pace.

EExxpp

lloorree

...continued from the previous page.

Chapter 5: Federated identity

The use of technology allows businesses to run lean and efficient supply systems. To support theapproach, organizations rely on all required components being available at the optimum time. Havingfull visibility of stock levels, product delivery dates, new pricing tariffs even when that information is theproperty of a partner organization, adds real value to decision-making processes. Federated identitymanagement technology can be used to create local, as well as global, interoperability between onlinebusinesses and trading partners using agreed identity management approaches. Utilizing a SSOapproach, allows users to move between business systems of their own organization and beyondcorporate boundaries to access third-party systems.

Chapter 6: Technology comparison

The technology comparison chapter presents Ovum’s view of the leading IAM vendors and theirtechnology solutions. It includes feature comparisons of the technology along with decision matrixinformation on the vendors and market analysis information. The features matrix presents a side-by-side view of vendor technology capabilities in their existing product ranges. The decision matrix groupsvendors into one of three categories (‘shortlist’, ‘consider’, or ‘explore’), and backs this up with adetailed view of each vendor in terms of technology assessment, market impact, and end-usersentiment.

Chapter 7: Technology Audits

The Technology Audits chapter contains in-depth evaluations on the latest product releases from nineof the IAM sector’s leading providers.

Chapter 8: Vendor profiles

The vendor profile chapter contains profiles of IAM vendors whose products Ovum considers to beimportant to the delivery of the core components of an IAM strategy. In many cases these are vendorswith best-of-breed products that cover one or more core areas of IAM or provide complimentaryservices that integrate with IAM.

Chapter 9: Glossary

This chapter contains a glossary of technology terms that are used in the report.

Chapter 10: Appendix

This chapter contains information about additional reading and the methodology used for this report.



WWW.OVUM.COM

CHAPTER 2:

Business and technology issuesin IAM


OVUM

2.1 Summary

Catalyst

The extended enterprise needs a comprehensive identity layer. Identity and access management

(IAM) is an essential tool for compliance and a key component of information protection in open

collaborative working. More than this, however, it is a productivity tool enabling tighter working

practices, collaboration, and automation of some error-prone, laborious processes.

Ovum view

IAM is a business issue, and projects must be driven by business priorities. However, many otherfactors need to be taken into account, and a lot can be learned from organizations that have completedsuccessful projects. Future proofing must be built into deployed systems. IAM is an idea whose timehas come, as it can be considered a strategic component of adopting cloud services.

Key messages

�� IAM projects are large-scale investments.

�� Business processes need to be overhauled.

�� Cloud services add urgency to the need to federate identities betweenorganizations.

�� The vendor landscape has been rationalized.

2.2 Identity and access management projects are

large-scale investments

Business strategy must drive technological decisions

Identity and access management is a business process. The requirementsfor handling identities and the use that is made of these identities aredetermined by how the business wishes to operate. IAM is a fundamentalpillar of security strategy, while the security and regulatory requirementsthat the business has to satisfy are also determined by business, ratherthan technological considerations. It is the job of technologists to meetbusiness needs. Business leaders must specify their requirements.

IAM systems link organizations, and inter-organizational relations must bedriven by business managers. The level of buy-in from these associatedorganizations will depend on the configuration of the chosen system. Theconfiguration can range from a close two-way federation of their respectiveIAM systems to a more basic arrangement that allows employees of the partner organization to use theprimary party’s resources as external users. However, any level of inter-operation requires a businessunderstanding of the status and assurance level of the other party’s identity credentials and acommitment from both parties to keep their identity bases up to date. Both of these require business-level convergence.

CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 2211

The requirements

for handling

identities and the

use that is made of

these identities are

determined by how

the business wishes

to operate.

IAM systems change the way in which users interact with IT systems. Provided that the system is well-designed, these changes should have a positive impact on the user experience. Security will certainlybe enhanced. However, access will be restricted in some cases and this may block some established

working practices, particularly where roles are not well documented orunderstood. The business must be prepared for these inconveniences andhave a method for rapidly resolving issues as they arise.

IAM projects are large and costly. Without substantial business buy-in atthe highest level they will not be completed. They have to be integrated intobusiness processes, which will inevitably disrupt the business process to

some extent. The process owner must be an enthusiastic supporter of the IAM project to ensure thenecessary commitment through this stage. A rough estimating rule is that buying professional adviceand assistance is likely to cost five times as much as the technology.

The “identities” in IAM systems mostly relate to people. (Some systems may also manage systems,processes, and corporate entities.) They contain personal information that is subject to privacylegislation, and organizations that do not have IAM practices that meet alllegal requirements risk substantial penalties. Therefore, a technical failingwithin the IAM system can have substantial business-level repercussions.This risk increases when an IAM system integrates silos of information thatpreviously only existed within small systems in departments.

One way to reduce risk and maintain business commitment to the projectis to roll out IAM incrementally, delivering real business benefit at eachstage and starting with “low-hanging fruit.” Fortunately, IAM is well suited toincremental rollout by dicing up according to organizational units, systemsand applications, and user groups. The majority of the cost of a project goes into the configuration, dataacquisition, and process definition aspects, rather than into technology acquisition. This makes anincremental rollout viable.

Ultimately, the business and political issues are significantly more challenging than the technologyissues involved in IAM projects. The project is about managing people, not user accounts.

The benefits of IAM

IAM delivers many business benefits, ranging from good governance through security, improved userexperiences, and productivity enhancements to cost savings.

While every IAM project is different, it is realistic to aim for a project whose benefits will pay for theproject within 18 months. A comprehensive, enterprise-wide project will typically take longer to recoverits costs as it embraces aspects with a lower return-on-investment, but organizations can configure aproject to fit a required rate of financial return.

IAM systems can enhance user experience and productivity. Single sign-on(SSO) to multiple platforms and applications removes the need for users toremember different user IDs and passwords, which they often feel theyhave to write down. It avoids the irritation and wasted time of having torepeatedly re-authenticate information to the system.

IAM systems automate the provisioning process for new users and userswho take on new roles. The time required for the provisioning process istypically reduced by 90%, from days to hours. The new user is thereforeable to become productive much more quickly. This is particularly

significant for contractors and short-term hires, for whom the provisioning time can significantly add toemployment costs. Identity federation allows the provisioning of a user in one environment to extend tocollaborative environments immediately and automatically. Moving forward, IAM will be at the heart ofopen-enterprise computing.


One way to reduce

risk and maintain

business

commitment to the

project is to roll out

IAM incrementally...

IAM systems change

the way in which

users interact with

IT systems.

While every IAM

project is different,

it is realistic to aim

for a project whose

benefits will pay for

the project within 18

months.

The direct financial savings of IAM come from the automated provisioning andde-provisioning capabilities and reduced IT helpdesk workloads. Typically25% of IT helpdesk workload is eliminated due to the much-reduced numberof forgotten password calls. Many IAM tools provide self-service passwordreset capability, which can further reduce the password-related workload.Process improvements in the areas of access request consideration andapproval and periodic reviews of access permissions deliver further savings.

IAM is an essential element of corporate

compliance and security

Organizations should deal with compliance as part of their operational infrastructure. For example, theSarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the

Payment Card Industry Data Security Standard (PCI DSS) requireorganizations to restrict and monitor access to sensitive information. IAMprovides auditable policies and a control framework that addresses manyrequirements of compliance. Many aspects of compliance require anorganization to control who can perform certain functions to reliably monitorwho does what, and to raise the consistency of process performance.When used in conjunction with logging tools, IAM can provide a wealth ofinformation about who did what and when. Logging tools need the strongand accurate access control tools provided by IAM to be certain that thereported user was the actual user. Four aspects of the benefits of IAM are:

� Access rights can be more closely aligned to roles and responsibilities.

� Traditionally IT users with administrator-level privileges can do almost anything on the systems onwhich they enjoy these privileges. Furthermore, because of the need to keep systems operating 24×7,several people are often given administrator rights to each system, sharing the same user credentials.This creates the perverse situation in which the most privileged users are not subject to personalaccountability for their actions. The better IAM systems can block all anonymous systems access,restrict all administrator-level access to sensitive data, and provide separation-of-duty controls.

� The ability of IAM systems to automatically remove access rights from leavers and employees whomove on to different roles blocks one major category of inappropriate access to systems. This de-provisioning function is one of the most important security functions of an IAM system.

� IAM systems can give much faster and easier login to systems, removing the very real temptationfor users to share sessions on machines in common access areas, and hence provide a level ofpersonal accountability for user actions. The value of this feature is seen in hospitals with the accesspatient records and in financial dealing rooms.

These benefits also help raise the security of corporate systems.Additionally, IAM can enhance security by bringing in strongerauthentication systems than were previously available. Traditionallyauthentication is built into platforms, systems, and applications and offerslittle scope for changing the default mechanism. IAM systems can allow theflexibility to adopt different forms of authentication, use two-factorauthentication, and even vary the level of authentication according to thecurrent characteristics of a session or the business being transacted.

These security enhancements are essential to satisfying e-governance requirements because theassociated reporting is meaningless without personal responsibility. Data loss prevention (DLP)systems are similarly hamstrung without a reliable indicator of who is handling a piece of information.The combination of IAM and DLP is particularly powerful, and can be configured to implement dataprotection policies that are appropriate for specific countries, for example.


IAM provides

auditable policies

and a control

framework that

addresses many

requirements of

compliance.

The direct financial

savings of IAM come

from the automated

provisioning and de-

provisioning

capabilities and

reduced IT helpdesk

workloads.

...IAM can enhance

security by bringing

in stronger

authentication

systems than were

previously

available.

How to run a successful IAM project

The key to success in an IAM project is to focus on the business issues. Too often they are technology-driven and fail as a consequence. We have already discussed the importance of getting buy-in and

commitment at the highest levels of the organization. The next prerequisiteis to know your users and understand what they do and how they do it,remembering that actual practice may have diverged from theoreticalprocesses over time. If the new IAM-related processes do not fit withbusiness practices, the project will fail.

The aim should be to introduce the maximum amount of automation intothe processes. This will win the support of key business movers as well as providing the necessarypayback.

When selecting products, ease of management should be a key consideration. The selected productshould enable you to specify each change in access rights or processes once, and have it rolled outacross the enterprise automatically and consistently. Pay particularattention to any pain points in the existing processes and ensure that theyare mitigated in the new system.

The IAM system should be capable of seamlessly and effortlesslyincorporating any changes in employee working practices, particularlyrelating to flexible working and homeworking. It is likely that within thelifetime of the IAM system the organization will have moved some waytowards allowing employee-owned endpoints, and that virtual clienttechnology will be widespread.

We have also mentioned the importance of cross-enterprise working inmodern business. External users need to be deeply integrated into IAM ina form of federation. However, there are different federation architecturesand it is important to choose the right one, considering future changes thatmay occur in the way the business operates. The main choice is betweena “hub-and-spoke” configuration in which the central player takes the main role in establishing bilateralrelationships, and a many-to-many model in which a central federation service negotiates claims bypeople who require access to any organization in the network.

Above all, when you are ready to implement the IAM system, adopt an incremental rollout and reviewthe success of each phase as you go, refining the details to resolve issues that arise. Incrementalrollouts reduce the capital risk by partitioning the project budget, and allow proven economies to berecognized as justification for following phases of the project. They also help to win support for theproject. In particular, SSO has to be configured to accommodate each application, platform, and servicethat it embraces. These targets can be implemented in batches. Incremental rollout and pilot projects

can also be used to validate the processes that are being defined within theIAM system – for example, to remove bottlenecks in the approval process.

Use existing identity stores to avoid unnecessary reinvention of the wheel.75% of enterprises will find that their Active Directory (AD) will give themthe bulk of their required configuration file. However, all imported datashould be reviewed for currency and accuracy to avoid perpetuating badpractices.

It is important not to overlook the need to educate users before they arebrought into the scope of the IAM system. It should not be assumed that

the new working methods will be self-evident. It is also a good idea to communicate with users duringthe implementation phase and afterwards as the system is extended and improved.

There are complex issues involved in extending the IAM system to customers and others who are notemployed by either the organization or its federated partners. In particular, there is the question of whatinformation about each person needs to be held in the system. Within the workplace, a person’s identityis usually primarily about the roles they perform.


The key to success

in an IAM project is

to focus on the

business issues.

It is important not to

overlook the need to

educate users

before they are

brought into the

scope of the IAM

system.

The IAM system

should be capable of

seamlessly and

effortlessly

incorporating any

changes in

employee working

practices,

particularly relating

to flexible working

and homeworking.

For external users, identity is about their relationship with the organization. For customers this couldinclude their payment information, relationship history, and identity assurance requirements. Eachsituation brings its own requirements, and the system needs to be designed around them. External usersshould not be regarded as “pseudo-employees” because this approach will not deliver the requiredsecurity level or meet business requirements. For example, there is no defined “leaving” process forexternal users that could trigger their de-provisioning. External users have particular needs for controls onthe disclosure of their attributes that are held in the system, because this information tends to be personal.

2.3 Business processes need to be overhauled

Managing non-employees in the workforce

IAM systems provide a single central authority managing the identities ofsystem users. This is in itself a culture shock for many organizations inwhich the management of contract and temporary staff is often handled atdepartmental or project level, with little reference to the HR department.The accounting department, with its responsibility for payroll, is often closerto being the global authority of current workers. However, in some casesstaff may be paid locally or through the invoice process, rather than throughthe central payroll.

The IAM system often has to manage access for workers employed by subcontractors on site who arenot covered by any direct payment system. In some organizations volunteers work on the companysystem. The group of people who are entitled to be in the building and use the IT system is often muchwider than the current employees.

All of the issues surrounding access rights management are magnified manytimes when looking at user accounts with administrator privileges.Administrator accounts are, by default, all-powerful and anonymous. Eachplatform, system, and application may have an administrator to manage it andkeep it in good health. As work needs to go on around the clock, severalpeople need to have these powers to ensure that at least one will be availablewhen needed. Business systems run across many servers and applications.This leads to a proliferation of administrator accounts. For example, Ovumknows of one organization that has 86,000 users and 100,000 administratoraccounts. The anonymity of administrator accounts makes it impossible toassign personal responsibility for the actions of such users. We look to IAMsystems to “hide” the administrator accounts and only allow users to exercise

them after they have logged into the system as a normal user and through the IAM system itself. The accessrights to information held within the system can also be restricted through theIAM mechanisms. These opportunities should be exploited. Although usingexternal IAM services is an option that many organizations have successfullyexploited, particular sensitivities about outsourcing the management ofadministrator accounts need to be considered.

Leavers

Removal of user rights and de-provisioning of users who cease to work forthe organization make up one of the most important functions of the IAMsystem from a security perspective. However, integrating this apparentlystraightforward task into business processes can be complex. Whereas thearrival of a new employee is a single-step process, their departure is long anddrawn out, going through several stages. In the simplest case the departureprocess is triggered by the employee’s resignation. Their leaving date should then be known, but may notbe cast in concrete at this stage. They may have more restrictive access rights at stages during their noticeperiod. With redundancies or disciplinary procedures, the process becomes much longer and morecomplex. These processes all have to be captured within the IAM system, and each change in the statusof the employee must be recognized in the system immediately.


All of the issues

surrounding access

rights management

are magnified many

times when looking

at user accounts

with administrator

privileges.

IAM systems

provide a single

central authority

managing the

identities of system

users.

Removal of user

rights and de-

provisioning of

users who cease to

work for the

organization make

up one of the most

important functions

of the IAM system...

When we consider volunteers, subcontractors, and other non-employees in the system, the processbecomes even more confusing. What event signifies or triggers the user’s departure? How is thiscommunicated to the IAM system? Do subcontractors retain any residual maintenance functions afterthey finish their period on site? One possible approach to this problem is to re-certify the access rightsof all non-employees periodically, but this may place an unacceptable burden on managers.

Mergers and acquisitions

Mergers and acquisitions place a heavy burden on IT administration. The consolidated business will beworking towards a single comprehensive IT infrastructure to achieve economies of scale andrationalization. However, this is only achievable at a reasonable cost if it is a long-term objective. In the

meantime, there is a need for a convergence strategy that will enableinteroperability and start to realize cost savings. A unified IAM systemshould be at the heart of the convergence strategy.

The easiest way to embrace diverse infrastructures immediately is tofederate the parts using an identity federation tool. This avoids the need toenroll a user in both parts of the organization, and can provide the basis forSSO across the enlarged enterprise. This scenario is a relatively simplescenario for deploying identity federation as there are no issuessurrounding inconsistent standards of identity assurance to resolve. In thisscenario, the deployment team can focus on the technical issues.

Moving forward, the business will want to increase the level of convergence towards total unification.The IAM system should allow the move to be made incrementally, with federation technology ensuringthat users retain their necessary access permissions on both sides of the merged organization.

2.4 Cloud services add urgency to the need to

federate identities between organizations

Use of cloud services requires corporate identity to be externalized

Many organizations are using or planning to use cloud services. The issues surrounding access controlare particularly important for cloud services. Public cloud services are accessible to anyone on theInternet, with only the access control mechanism between the corporateintellectual property and the outside world. Services implemented in a so-called “private cloud” on the corporate Intranet are also relatively open tounauthorized access.

Access control to cloud services has two main requirements:

� User authentication has to be strengthened to reflect the ease of accessto the service portal and the value of the information and processes behind that portal.

� The directory of authorized users of the service has to be kept up to date. It needs to beautomatically synchronized with the internal corporate IAM directory to be both secure and efficient.

Access control based on user IDs and passwords held within the cloud service does not meet either ofthese requirements. The best option is to configure the cloud service to accept assertions from thecorporate IAM system as the only means of gaining access to the service. The user experience wouldrequire the user to log in to the corporate system and then enjoy an SSO transfer to the cloud servicewhen required during their session. The strength of authentication is determined within the internal IAMenvironment. A possible compromise is to configure the service to use an assertion from the corporatesystem as a second authentication factor. This can deliver most of the security benefits of fullintegration, but it does not give the user seamless access to the cloud service or perform automaticprovisioning and de-provisioning.


The easiest way to

embrace diverse

infrastructures

immediately is to

federate the parts

using an identity

federation tool.

Many organizations

are using or

planning to use

cloud services.

While this discussion represents current best practice, regulators and legislators lag behind technology.Organizations may find their options restricted by regulatory impositions. For example, financialservices regulators generally dislike passwords being shared between services. It remains to be seenhow they will react to a claims-based access regime, which effectively means using the same passwordas the user’s system login.

Federation delivering benefits

The early history of identity federation saw most deployments in configurations in which a centralorganization wants to improve collaboration with several of its business partners. Typically a largecorporation would want to tighten its relationship with its suppliers or channel partners. The two majorcivil airline manufacturers, Boeing and Airbus, both made extensive andsuccessful use of identity federation technologies, along with majorautomotive manufacturers.

The other area for which federation has delivered substantial benefits isbringing together the parts of an enterprise following a merger or acquisition.

Federation is starting to move out into more diverse deployments, includingones in which there is a more flexible community of organizations than therigid “hub-and-spoke” configuration in the early deployments. Some ofthese deployments are enjoying a simplified design by adopting themanaged federation services available in the cloud.

Even when federation services are used, the user identities are retained in-house. The common characteristic of all federated identity deployments isthat each user identity remains with the user’s employer, and the employer asserts their access rightsto the other partners when required. This ensures that other partners do not incur a user managementoverhead by participating in identity federation, as well as protecting the privacy of the individual.

Technology issues

IAM usually focuses on controlling access to systems and information by human users. However, in thecollaborative and automated business environment that is emerging, the concept of identity needs tobe broadened to include corporate entities, computers, processes, services, and applications.Integrated cross-organization automated processes need to control access by all of these. These can

collectively be described as “objects”, taking the terminology from theobject-oriented programming world. Thus, IAM systems need to be able tomanage identities for any such object, and these objects need to have themeans of identifying and authenticating themselves.

The leading IAM suites available today are fundamentally architected todeal with objects of all types, but some of the user interface componentsneed to be tailored to fit these broader concepts.

The claims-based approach to inter-organizational access control is asound basis for moving forward. Unlike some earlier protocols, it is scalable and flexible. Claims aresimple statements that can be composed into more complex requirement statements using the basicoperators in Boolean logic such as “and” and “or.” Using these avoids thesignificant administrative burden of maintaining access control lists.

Many organizations find role management a particularly difficult task. Rolesdefine sets of entitlements and are an efficient method for grouping employeeswho perform similar duties. Most IAM suites allow individuals to perform a setof roles. However, many employees perform tasks that are not identical tothose of any other person in the organization, particularly those inmanagement or knowledge-worker fields. In these cases, roles become cumbersome and confusing. IAMproducts should allow administrators to combine role-based access permissions with additional individuallyallocated permissions, and should not force everyone into the role model.


The claims-based

approach to inter-

organizational

access control is a

sound basis for

moving forward.

The other area for

which federation

has delivered

substantial benefits

is bringing together

the parts of an

enterprise following

a merger or

acquisition.

Many organizations

find role

management a

particularly difficult

task.

There is a divergence of opinion about whether IAM systems should manage both access to IT systemsand physical access to facilities, or whether they should be limited to information system access. Costand complexity are increased if physical access is included. However, the combined approach allows:

� The leveraging of identity credentials such as smartcards

� the use of a single identity directory, giving some economy

� security to be enhanced using a joined-up view – for example, physical presence can become animplicit authentication factor.

However, a unified approach means that you will have to register everyone who works on site, even ifthey never use the IT systems – including cleaners and security guards.

2.5 The vendor landscape has been rationalized

The vendor landscape has consolidated around big IT suppliers

The vendors of the main IAM suites have been acquired by the big IT infrastructure vendors. In somecases, such as with CA, IBM, and Oracle, the vendor has made a number of small and largeacquisitions over time to arrive at its current position. In contrast, some vendors such as Microsoft and

Novell have largely built up their IAM offerings by internal productdevelopment. The current dominance of the market by the big players is aconsequence of the central role that IAM plays in IT management anddelivering IT compliance. Organizations want to buy fundamentalcapabilities from a strong vendor with which they already have a substantialrelationship and whose IAM systems will fit in well with their ITenvironments. The vendor landscape reflects the fact that IAM projects are“big-ticket”, long-term, and strategic.

The trend towards big vendors has also been driven by the commercialaspects of this market. Until recently IAM vendors found it difficult to makea profit in a relatively slow market. However, the consultancy work that wentwith an IAM project was more lucrative. This encouraged vendors withlarge consulting practices to be active in IAM.

A large group of vendors specialize in particular aspects of the technology,such as identification or authentication, clustered around the IAM suite providers. These includesmartcard providers, biometric product vendors, and suppliers of a range of innovative authenticationapproaches. These products can interact with IAM suites using standard protocols such as thebiometric application programming interface (BioAPI) protocols, supplemented with various amounts ofbespoke integration work.

Sun’s demise has provided the latest crumbs

The club of IAM suite providers is now quite small and fairly stable. However, there have been twonotable exits in recent years. In 2008, HP sold its IAM practice to Novell, which was already a majorplayer in the space. In 2010, Oracle completed its acquisition of Sun Microsystems, including the latter’sIAM products. As both vendors had comprehensive suites, there is a lot of rationalization ahead, with

most cuts falling in the former Sun portfolio. Oracle has provided an openpath, allowing organizations that currently use Sun’s suite to migrate to itsproducts, in addition to incorporating a few Sun products into its range.However, Oracle faces competition from Courion, which has also laid out amigration route for Sun users and is a strategic provisioning partner of RSA.

As IAM is becoming increasingly strategic, both infrastructure vendors andsecurity vendors that do not have an IAM offering are looking less credible in their fields. Most aspectsof information protection require an awareness of who is accessing the information.


The vendors of the

main IAM suites

have been acquired

by the big IT

infrastructure

vendors.

The club of IAM

suite providers is

now quite small and

fairly stable.

The trend towards

big vendors has also

been driven by the

commercial aspects

of this market.

The focus of security is to move from network security to information protection, throwing the spotlighton gaps in the vendor’s portfolio. At the same time the limited number of players limits the scope forpartnerships, which in most cases would be with a competitor. The number of potential acquisitiontargets is now small.

Currently, we can only speculate on how vendors such as HP, Symantec, Cisco, and Intel/McAfee willrespond to the new market perspective.

2.6 Recommendations


IAM is a strategic project that needs a strong, long-term business strategy behind it. If the project isexecuted well it will deliver a high rate of return, both financially and in terms of improved governance.It must be driven by business considerations and supported by buy-in at the highest levels in theorganization, not least because it will require changes in business processes. Implementation is bestapproached in an incremental fashion.

IAM is as much about working with partners and outsiders in the extended enterprise as it is about theinternal IT systems. Systems must be designed to accommodate any foreseeable expansions andextensions in the working realm.

Cloud services are about to boost the importance of IAM in the enterprise. The cloud service providercan be regarded as an important business partner that needs to be brought into the federated identitynet.


IAM is also strategic for vendors. It is a sticky technology that can reduce customer churn by lockingcustomers in to building processes around your technology. IAM is now more than just an opportunityto drive consulting engagements, and has become a cornerstone around which to build systemsmanagement, compliance, and security offerings.



WWW.OVUM.COM

CHAPTER 3:

Identity and access managementand compliance


OVUM

3.1 Summary

Catalyst

The use that is made of identity and access management (IAM) technology within the public and

private sector is growing in line with the threat environment. Most organizations understand the

need to maintain control over who is allowed to access their information assets. They recognize

the negative impact that not having the proper identity management controls in place can have

on the organization and its reputation. They also appreciate that industry regulators have the

power to extract fines and impose sanctions when organizations fail to fulfill their compliance

obligations.

Ovum view

The deployment of IAM technology should be seen as a vital component of an enterprise securitystrategy. The use of IAM is foundational to controlling who has access to operational informationsystems. Knowing which users are allowed to have access to which information systems and aligningcontrol with the operational rules and access policies improves the organizations security position andhelps towards achieving regulatory compliance.

Domestic, industry-related, and international regulations all have an impact on the actions thatcompanies must now take in order to be compliant. IAM solutions should not be purchased just to helptick compliance boxes. The value of the technology to businesses ought to bring together importantefficiency improvements such as providing streamlined access to allavailable systems, efficient user provisioning and role managementservices, and the ability to share systems access with authorized thirdparties. It should also address the need to protect the integrity of business-sensitive data; controlling as well as facilitating access for information usershelps to reduce data theft and fraud.

The deployment of IAM never was and is not likely to become an easy fixfor broken operational structures. The implementation of the products canbe complex and difficult to achieve and maintain. There have been manyexamples of organizations that have struggled to gain business value fromthe technology, often because they have been unrealistic in their objectives, or have failed to gainproject buy-in at the highest levels of management. However, when an organization gets its IAMdeployment strategy right, operational improvement, continuity, and security benefits accrue and as aresult compliance and audit advantages become more achievable.

Key messages

�� IAM delivers services that are relevant to business improvement, continuity,protection, and compliance.

�� Regulatory compliance has a demanding impact on most organizations.

�� Audit adds urgency to the need for a better IAM infrastructure.

�� Continuity and the lifecycle approach to managing identity delivers businessvalue.

�� Everyone needs to be accountable.

�� Achieving and proving compliance is a key business objective.

CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 3333

The deployment of

IAM never was and

is not likely to

become an easy fix

for broken

operational

structures.

3.2 IAM delivers services that are relevant to

business improvement, continuity, protection,

and compliance

IAM provides vital business services

Organizations evolve and change as the demands of their operations grow or indeed contract.Competitive influences dictate that most businesses are constantly looking to improve their existing

operations.

Cost controls dictate that more must be achieved with fewer resources andalways more efficiently. Automation, self-service, and a whole range ofassociated approaches are used to deliver improvements. Similardemands are placed on continuity requirements, such as the need toefficiently deliver corporate services while remaining fully protected and,importantly, achieving the above objectives without falling foul ofcompliance regulations.

A common theme that runs across many business requirements is the needto make use of IAM to understand and control who has the right to accessour systems, what use they can make of that access and where they areallowed to gain access from. As such, it is no surprise to find that IT

administrators struggle to keep pace with the need for change and at the same time maintain a balancebetween the organization’s desire to improve its operations and its need to remain secure.

IAM can be used to improve service delivery – but beware

Business improvement, efficiency savings, and the sometimes conflicting need for operationalcontinuity are often addressed through an attempt to deliver an increased level of automation. Thisusually involves growth in the use of self-service and online facilities. For IT administrators working withIAM systems, there will be a need to improve service efficiency and deliver automated userprovisioning, authentication, and access control services that meet the self-service requirements of thebusiness and its users.

Since the earliest Active Directory (AD) and associated Lightweight Directory Access Protocol (LDAP)management systems made their way onto the market, the value to business of controlling users hasbeen widely recognized. That is not to say that technology associated with the management of identitythat we conveniently bundle under the IAM label has always been particularly successful in achievingthese objectives, but at least the opportunity has been there.

For many organizations the struggle continues, and for those that havedeployed fully-featured IAM solutions or selected components of IAM theresulting benefits have often been less than impressive.

Problems have occurred for a number of reasons. Some are directlyattributable to the vendors and the solutions that they deploy being toocomplex and impractical. Others fall squarely at the feet of end-userorganizations that have not fully understood the internal commitment thatsuccessful IAM projects require. Organizations have gone into identitymanagement projects without a clear enough vision of the ultimateobjectives, or have simply tried to do too much too soon.

In such cases, IT has had to either go back to the basics of locally managing identity directories orstarting up second- or even third-generation IAM deployments.


A common theme

that runs across

many business

requirements is the

need to make use of

IAM to understand

and control who has

the right to access

our systems...

Organizations have

gone into identity

management

projects without a

clear enough vision

of the ultimate

objectives, or have

simply tried to do

too much too soon.

Controlling identity and user access is vital

Making use of IAM technology to achieve business improvement andcontinuity benefits and, at the same time, remaining secure and compliantinvolves the deployment of good quality IAM services that are also easy touse. The objective is to identify and control authorized users and providesystems access whenever and from wherever access is demanded withinthe rules of the organization.

Controlling and maintaining ease-of-access to information systems is vital to achieving businesssuccess. At the same time, those elements of control that ensure that unwelcome visitors can berejected and the compliance components used to scrutinize how access to business-sensitive systemsand their data is controlled must also be maintained.

Business improvement and compliance objectives need to be

addressed

A driving force behind the use of technologies such as IAM is thecompetitive nature and efficiency demands of business organizations. Inmany organizations, changes to business operations continue at a fastpace; updates and additions to user communities, operational work groups,and project teams can be just as dynamic and, as such, need to managedas efficiently as possible.

Without the structure and management components that IAM provides,organizations will struggle to keep pace with the maintenance overheadsneeded to ensure that users and the data controlling their access rights arekept up to date. Integrated IAM is required to support business improvementand at the same time to ensure that compliance objectives are not ignored.

3.3 Regulatory compliance has a demanding

impact on most organizations

Organizations need to deal with compliance as part of their

operational infrastructure

Maintaining regulatory compliance and ensuring that the operations of an organization remain within the

required parameters involves combining the use of good technology controls, ensuring that systems

users are responsible for their actions, and putting controls in place that are both usable and effective.

Depending upon the industry and geographical location of the business, different regulations, rules, and

interpretations of compliance mandates apply. The Sarbanes-Oxley (SOX) Act, while not forcing the use

of specific security products, takes in the requirement to be able to maintain the validity of corporate

information and control who has access to it.

Where there is commonality for rules and processes that can be applied to specific regulations such as

the Payment Card Industry Data Security Standard (PCI DSS) for the handling of financial data or the

Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector there is the

opportunity set up and make available common operational processes.

For example, PCI DSS dictates that where sensitive data are being processed or held, those data need

to be encrypted; the rules and regulations also determine how long and under what circumstances

those data can be held.


A driving force

behind the use of

technologies such

as IAM is the

competitive nature

and efficiency

demands of

business

organizations.

Controlling and

maintaining ease-

of-access to

information systems

is vital to achieving

business success.

What organizations must do to ensure that they do not repeatedly fall foul of regulations that havealready been addressed is to make sure that the information that they hold cannot be subverted during

normal operational activities. Information relating to customers, citizens,finances and so on may be held legitimately. That said, if access tosensitive information is not continuously controlled then all the complianceefforts that have gone before count for nothing.

A fundamental requirement for the protection of sensitive data involvescontrolling who has access and influencing what users can do with dataonce access has been granted. Importantly, it must also involve having theknowledge and information required by the company’s auditors to be ableto prove that the right user controls were applied.

In an ideal world the demands of the chief information security officer wouldbe for reliable, accurate, auditable IAM controls that safeguard andmanage all access to key business systems and the sensitive data thatthey hold. Realistically, however, we have to

accept that restrictions will be placed on what can be achieved, because ofthe costs involved and IT budget restraints.

What ought to be considered is how IT can make better use of the IAMfacilities that they already have in place, how the operational use of userauthentication and access control facilities can be aligned to the acceptablerisk profile for the organization and how IAM can be used to improve thesecurity and compliance profile of the business.

Addressing the compliance challenges and drivers

Properly deployed IAM services deliver usability for an organization’s authorized users and invokecontrols that help to maintain security and compliance.

The requirements of the organization should include achieving full control over user access rights and, indoing so, providing the audit trail and management reporting facilities that prove that control is beingmaintained. This involves the use of stop-and-block controls, but ought to also include the use of warnings,alerts, and reports that are delivered to the appropriate authorities when suspect activities take place.

Starting operational compliance involves having the ability to record all identity-related events, whichincludes both accepted and rejected access attempts. It involves making effective use of technology toautomate the controls that are needed to allow or deny access, to detect and report on wrongdoing, and

to deliver corrective actions.

Some of the latest access control and systems management problems thatorganizations face involve external influences. These originate with boththe business partner organizations and users that need to be controlledand the mixed operational environments that need to be supported. IAMhas to be capable of working on behalf of mixed user groups across mixedphysical, virtual, and cloud based operations.

The requirement involves the ability to maintain control. Specifically, it isabout managing the provisioned rights of users to ensure they are kept upto date and that all de-provisioning elements are also effectivelyaddressed. For leavers and users whose role within the organization has

changed, this is a particularly important issue. Included within this area is any separation of duties thatneeds to be applied. This specifically includes access controls that are focused on privileged users, withthe intention of ensuring that all user entitlements are proportionate.


A fundamental

requirement for the

protection of

sensitive data

involves controlling

who has access and

influencing what

users can do with

data once access has

been granted.

Some of the latest

access control and

systems

management

problems that

organizations face

involve external

influences.

What ought to be

considered is how IT

can make better use

of the IAM facilities

that they already

have in place...

Addressing specific compliance issues with IAM

PCI DSS

PCI DSS does not force the use of specific protection products or services. It does, however, defineindustry best practices for how credit and debit card information should be handled while being storedor communicated during transaction processes.

PCI DSS data protection requirements that need to be maintained involvethe strengthening of common security protocols; specifically, this includesreducing the opportunities for unauthorized users to access customer-sensitive information. It includes ensuring that external access channelsare properly controlled and also has implications for what access internalusers (employees, contractors, etc.) should be allowed to have.

Following various widely reported data-thefts incidents, many caused by internal users, there arespecific PCI DSS requirements that are intended to limit employee access to customer credit card andassociated financial information. Such access controls need to be measured and maintainable andsupported by reporting services that satisfy the needs of IT and the company’s auditors.

PCI DSS dictates that user access to financial data (credit and debit card data) should be limited tousers who clearly need to see and work with this information. It specifically requires organizations thathandle card data to implement strong access control measures. The act states that access by businessusers must be on a need-to-know basis. Authorized users must be assigned a unique identity so thattheir access requests can be recorded and analyzed, and to ensure that physical access to cardholderdata is controlled.

HIPAA

HIPAA compliance, with its specific focus on the healthcare sector, and that industry’s increasingdependence on constantly updatable patient information, present a number of interesting identitychallenges that can be addressed through the use of IAM. The focus is on the need for improvedsecurity and privacy and further demands for efficiency and quality of service. The regulations andstandards that are applied alongside HIPAA are wide-ranging.

IAM can be used to provide administration and access controls that protectsensitive medical records. The requirement is for products that are capableof controlling access to electronic records in complex enterpriseenvironments. Healthcare systems sharepatient and associated healthcare data at localand national levels.

The underlying requirement involvescontrolling how information is collected, stored,

and transported. Once this is achieved, however, the key objectiveswitches to how healthcare institutions are able to keep operational dataavailable and accessible and safe from unauthorized use, which is whereIAM has an important role to play.

HIPAA data protection requirements are supported by the IAM’s ability tocontrol which users have access to particular systems, applications, anddata. By controlling and reporting on the management of users, theiridentities, and their access rights in line with the policies and operationalrules of healthcare operations, the deliverable components of compliance can be achieved. Also theautomated nature of IAM can be used to reduce the cost of healthcare compliance.


IAM can be used to

provide

administration and

access controls that

protect sensitive

medical records.

PCI DSS does not

force the use of

specific protection

products or

services.

HIPAA data

protection

requirements are

supported by the

IAM’s ability to

control which users

have access to

particular systems,

applications, and

data.

IAM takes responsibility for controlling user access; it also addresses privacy, security, and auditrequirements. These are critical HIPAA issues, particularly when organizations are operating acrossdistributed and networked environments. Allied to this is the need to change, update, or remove accessrights when employees change jobs or move on. This is a specific business risk that IAM can be usedto address. The management of user credentials falls into the same category of importance to ensurethat usernames, passwords, and other strong access credentials are maintained. Other areas that IAMcovers and are relevant to HIPAA compliance requirements include the enforced segregation of dutieswherever this is appropriate, and directly linking the provisioning elements of user access to the role ofeach user within the organization.

SOX

The SOX act specifies that a company’s financial reports must be both verifiable and auditable. Toachieve these objectives, organizations and their IT management must be able to prove that the

company’s critical software applications are only available to approvedpersonnel, and that access cannot be exposed to failure by human error orsabotage.

While SOX is not specific about which IT security systems should bedeployed, it does require organizations to implement strong access controlfacilities in order to fulfill user managementobjectives.

IAM provides the required elements of identitymanagement and access control. Therefore, when its use is supported bycompliance-based best-practice templates, facilities can be tailored toaddress the needs of SOX. Examples of this include the provisioning ofaccess rights to each business-critical system or information resource thatis fully aligned with the individual’s exact needs as specifically defined bytheir job description or role within the organization.

Audit and reporting capabilities can also be used to prove that onlyauthorized users could have gained access to sensitive information. Thislevel of control can be extended to necessary business process constraints and can be applied byprovisioning and role management systems to include separation of duty controls and regularassessments of current access rights and privileges.

Compliance demands are driven by common themes

Among a number of common control themes that run across the regulatory compliance relationshipbetween regulators and the organizations that are required to comply with their rules is the ability toprove who your users are and control what they are allowed to do.

If you drill down into the regulator’s expectations of how identity ought to be used to control user access,there are elements that are standard to the general usage of IAM in most business operations. Wherethe additional requirements occur is around the issue of the information that is required to ensure thatonly the right users can access specific systems and their data.

Even after adding the burden of proving that users are who they say they are and that their accessrights are balanced and appropriate, and supporting the required controls with audit-level evidence, theuse of IAM for compliance is not overly burdensome. These requirements make IAM into a frontlinecomponent of compliance. Its wide-ranging use across different industry verticals also makes itavailable to support the controls required by many different industry regulations.


The SOX act

specifies that a

company’s financial

reports must be

both verifiable and

auditable. Audit and reporting

capabilities can also

be used to prove

that only authorized

users could have

gained access to

sensitive

information.

3.4 Audit adds urgency to the need for a better

IAM infrastructure

Audit helps organizations to prove compliance

Government and industry regulations, such as those mentioned in the previous chapter, demand thatorganizations exercise proper control over customer and financial data and business-sensitive systems.

The requirement is to be able to prove compliance. How are organizations expected to achieve this ina way that is wholly acceptable to each regulatory body? One suitable method is being given a cleanbill of health by an independent external IT audit report.

Most successful enterprise organizations are both dynamic and busy. To maintain their required levelsof efficiency they need to have facilities in place that automatically provision, maintain, and manageuser identity resources. An important part of the complete resource management role involves theability to record and report on all identity-related activities, including those that involve changes to user,role, and segregation of duty permissions.

Continuous compliance assists with audit processes

Continuous compliance is an objective that most organizations would loveto achieve, but many struggle to get there. The vast majority of enterpriseIAM products claim to provide a range of authentication, provisioning, rolemanagement, web and enterprise single sign-on (SSO), and passwordmanagement facilities that address compliance issues. They also claim tobe able to detect and remediate against anomalies found on an ongoingbasis, and maintain all management information for future use.

It is worth emphasizing that this particular level of good practice, if itbecomes a reality, is viewed favorably by auditors. In real terms it helps toposition the organization as being efficient and strong in the delivery ofsecurity and management controls. From a purely practical perspective, it can also help minimize thetime that the auditors will then take to test and validate the organization’s security controls.

Good IAM practice provides business benefits

There are many different examples that show how IAM is being used to achieve compliance and how,through the use of automation, such activities also find favor with an organization’s auditors. One goodindicator that is often put forward is that of how effectively employees that leave an organization or

change their role are dealt with.

The requirement for disowned accounts is spread across three levels. Firstof all, organizations need to know about and be able to identify all useraccounts that are no longer valid; then they need to have the ability to takethe required corrective actions. This may involve suspension, changemanagement, or the removal of access rights.

The final element in the process involves recording and reporting on theactions taken. The type of audit controls envisaged can also be extendedto ensure that account managers carry out periodic review processes tocertify that active users in their domain have the right access entitlementsand, importantly, that they retain the need to keep those entitlements.


One good indicator

that is often put

forward is that of

how effectively

employees that

leave an

organization or

change their role

are dealt with.

Continuous

compliance is an

objective that most

organizations would

love to achieve, but

many struggle to

get there.

3.5 Continuity and the lifecycle approach to

managing identity delivers business value

Continuity drives the need for IAM

So far we have covered IAM continuity as it relates to continuous compliance and to the improvementof audit processes. What have not yet been discussed are operational benefits and why it is importantto take a more inclusive view of identity management and its access control facilities.

There are two major elements that drive the need for continuous IAM control and with it the delivery ofa lifecycle approach to the management of identity. There is the requirement to fully utilize theinformation resources in corporate data stores to trade as efficiently as possible. For example, makingusing of the Internet to provide access to corporate data and the web as a direct trading channel meansthat organizations can support self-service efficiency and customers can have 24/7 access. The otherelement is the ever-increasing range of threats and malicious attack approaches that threaten todestabilize web and associated real-time activities.

From an IAM perspective, continuity starts with the ability to manage each user from the first time thatthey are provisioned with an initial set of access rights through to the time that their rights are removed.In effect, this means management of the complete user lifecycle, a definition that may sound inclusiveenough, but in reality only scratches the surface.

This is because the nature of doing business is constantly evolving. We now share information withsuppliers and business partners and collaborate on projects. We provide customers and other systemusers with all-day, every-day access to our systems and information resources. Going forward, furtherinteractive opportunities will emerge, they will need to be supported, and the lifecycle approach tomanaging users will continue to grow.

Outsourcing and the use of managed services adds complexity

In attempting to do more with fewer internal resources, organizations are taking up the option tooutsource operations and services to contractors and are also using service providers to manageoperational systems.

Because all these external elements add complexity to business operations, they also increase thedemand for good quality IAM solutions that are capable of automatically managing mixed communities

of users across physical and virtual operating environments. A further issueis the requirement for continuity when considering the IAM controls neededto deal with internal and external users while still attempting to reducesecurity risks.

IAM is an essential product in the battle to maintain control over who andwhat can gain access to information systems. However, bringing systemsaccess and usage up-to-date and including the key considerations of webclients and general Internet access is challenging.

The increasing volume of remote access demands is changing the systems dynamics of IAM. It meansthat some longstanding identity management solutions are now overdue for an update. To remain fit-for-purpose, their services need to be brought up-to-date to meet the demands of collaborative workingpractices, shared information services, and operations where third parties, business partners, or serviceproviders have control over everyday information assets.

The effective management of identity is a precursor to successful data

loss prevention (DLP)

IAM controls user access to operational systems and addresses many of the control issues related toregulatory compliance and audit. Another area of IT security that directly associates itself with thedemands of the regulators is the prevention of data loss.


The increasing

volume of remote

access demands is

changing the

systems dynamics

of IAM.

Business users can play a primary role in putting an organization’s dataassets at risk. Therefore, the case for aligning the use of DLP solutions andtheir ability to protect sensitive data with core IAM technology that assignsand controls user access rights is a strong one.

The protection role of DLP involves the need to work with existinginfrastructure systems such as AD and other common LDAP directories. Itentails a requirement to integrate with existing IAM facilities in order to understand what systemsaccess rights each user or group of users has. Leading on from this, once those access rights havebeen accepted, it also requires the ability to work with permission-based roles in order to ensure thatwhat users go on to do complies at each level with the organization’s data usage policies.

Controlling who has access to an organization’s systems and information resources becomes verydifficult to achieve without an integrated relationship between core management systems such as IAMand DLP.

3.6 Everyone needs to be accountable

IAM provides organizations with well defined access management

tools

IAM technology provides the tools to ensure that effective access management facilities can beimplemented across organizations. This represents the starting point for controlling the rights of each

user.

A common misconception is that having achieved this objective, the task iscomplete. This of course is not true. It is only the beginning of a continuousprocess that requires IT administrators, business managers, andresponsible infrastructure departments, such as HR, to collaborate on theprovision of effective controls.

The object is to provide information users withall the access rights that they need to do theirjobs. At the same time, the correct securitybalance requires that the access provided isappropriate to fulfill a user’s role within the

organization, and limited for compliance purposes to those systems andinformation resources that they need to have.

That said, the needs of individual users constantly change; promotions change roles, new arrivals needto be provisioned, and leavers must have their systems access rights removed in a timely manner.Security aligned with usability is what needs to be achieved. IAM provides tools that can deliver therequired objectives, but not without help from process owners and business managers.

Arguments against the efficiency of IAM and its ability to achieve the required user control objectivessuggest that previous generations of the technology were not up to the task because they focused purelyon the security issues. They did not do enough to deliver a sustainable model of continuous access.

Access governance that ensures that the policies of the organization are in alignment with the provisioningand role management elements of IAM is what is required. However, delivering this balanced approachrequires the skills of a knowledgeable management team, good administration, and effective levels ofautomation from technology that can fit with both operational and compliance requirements.

Compliance demands that users play their part

Technology can be used to provide as many automated processes as an organization demands.Provisioning, password management, SSO and user self-certification processes have been improvedfor the benefit of the business and to achieve cost savings using automation and self-help approaches.


IAM technology

provides the tools to

ensure that

effective access

management

facilities can be

implemented across

organizations.

Business users can

play a primary role

in putting an

organization’s data

assets at risk.

The object is to

provide information

users with all the

access rights that

they need to do

their jobs.

That notwithstanding, any automated delivery approach is only as good as the back office rules,processes, and management that have been put in place to deliver the service.

� Provisioning facilities that are not properly controlled by strong rules and not regularly maintained byadministrators and process owners can result in users having open access where this is notappropriate, or not enough rights to do their jobs.

� Password management that is too easy to bypass or too complex to maintain has the same issues.

� SSO that is delivered with the right levels of control can be extremely beneficial to users and thebusiness, but SSO without strong protection can put the whole organization and its informationsystems at risk.

In all these areas, self-service and certification can have an important role to play, but to maintaincompliance, usage has to be aligned with levels of control that are appropriate to specific user groups,roles, and access rights.

Role management helps to align many people-to-process issues

When organizations are looking to achieve that important balance between securing the business andits information assets and the demands for open information access from users, strong and informedbusiness decisions are needed.

Since the first early-adopter IAM systems were deployed, there has been aconstant debate about how to make password management systems assecure as possible, and the unreliability of static passwords. Provisioningsystems brought about an automated look and feel to the way that userswere provided with access to systems. However, as before, earlyapproaches lacked control and security, and many such systems continueto be poor at managing the whole user lifecycle.

In some cases, typical problems that remain include the inability toadequately control users that have out-of-date access rights, to deal with

users with more than one identity, and to completely remove access rightsfrom users that have left the organization but retain the ability to accesscorporate information.

Without doubt, the provisioning systems provided by some IAM vendorsare more inclusive and better at controlling user and full lifecyclemanagement issues than others, but in many cases, more work is needed.

Alongside the use of provisioning services, role management facilities arereceiving a significant amount of attention. Role management is beingdeployed so that organizations, especially those of a significant size andwith an enterprise infrastructure, can be managed in line with therequirements of the business. One strong argument in favor of theapproach is that the protection requirements of businesses include regulatory compliance, and thedelivery of role management services takes this into account.

When used correctly and directed towards the combined security, compliance, and operationalrequirements of the organization, role management facilities allow job functions to be structured anddefined into categories that are aligned with operational and business access needs.

Systems administrators and business managers have the opportunity to define and structure roles anduser groups to match their business operations, these can be categorized by local departments toparticular projects, or defined by geography or business unit.

Role management delivers the type of structure to IAM that aligns its use with the operational andcompliance requirements of the business and its users. For IT and process owners, the structure thatrole management brings with it provides visibility into an organization’s user access credentials; allexisting roles are defined and visible, and setting up new roles becomes more straightforward while alsomeeting business and IT infrastructure demands.


...typical problems

that remain include

the inability to

adequately control

users that have out-

of-date access

rights...

Alongside the use of

provisioning

services, role

management

facilities are

receiving a

significant amount

of attention.

Using a top down approach, role management can be linked to businessprocess usage and, because business processes need to take incompliance requirements, the approach pulls together business and ITrequirements. Like any other set of IAM components, role managementservices are only as good as the people who manage their use. Roles willchange on a frequent basis. Users within groups will change and move on.Provisioning allows users and their access rights to be properly controlled,while role management adds further efficiencies as users are assigned toroles and roles are linked to business operations.

3.7 Achieving and proving compliance is a key

business objective

The difficulties of achieving compliance need to be overcome

The scope of regulatory compliance demands can be extensive. For governments, they cover international,national, and local controls. For each business area, standards can be industry specific (HIPAA in

healthcare), or cut across boundaries (PCI DSS, which covers the protectionof financial transactions across many business areas). The one thing thatrarely changes is that new elements of regulatory compliance continue to beadded. Regulations and standards are tightened, extended, and often mademore difficult to achieve, and on each occasion, the emphasis is always onorganizations to find a way to comply.

Technologies such as IAM have a role to playand can be used to improve and add

efficiencies to an organization’s approach to addressing compliancedemands. The role as a compliance-enabling technology is to deliverautomation and control to compliance processes. Business managers needto be able to prove that compliance objectives are being achieved. IAM andits reporting services can be used to help with this. Management also needsto put in place operational policies that employees and other affected userscan understand and follow without it having an adverse impact on their day-to-day activities. IAM provides the infrastructure to achieve this.

For business managers, it is important to be continually aware ofcompliance demands and to be sure that they are being addressed. It isessential to be able to validate the compliance position and support this effort with procedures andreports that prove an organization’s status. These are areas where compliance-enabling technologiessuch as IAM can help.

Make use of technology and processes that validate compliance

The most effective approaches to achieving compliance involve the use of practical systems controls.Cost and efficiency demands drive the need to ensure compliance can be delivered as easily and as

efficiently as possible.

Establishing processes and making use of technology that addressesparticular regulatory issues is a good way to start down the road tocompliance. There is also a requirement to be able to prove that anorganization is compliant. To achieve these objectives, business and ITmanagers must ensure that their processes are executed in line withcompany rules and be able to prove that during audit.

When looking at the use of technology from a compliance perspective,there is a need to consider whether it can be deployed across all areas ofthe business, whether its services and management reporting can be

centrally managed, and from this, whether reports can be generated that validate its effectiveness.


The scope of

regulatory

compliance

demands can be

extensive.

Cost and efficiency

demands drive the

need to ensure

compliance can be

delivered as easily

and as efficiently as

possible.

Like any other set of

IAM components,

role management

services are only as

good as the people

who manage their

use.

Technologies such

as IAM have a role

to play and can be

used to improve and

add efficiencies to

an organization’s

approach to

addressing

compliance

demands.

3.8 Recommendations


The deployment of IAM technology should be seen as a vital component of an enterprise security andcompliance strategy.

The use of IAM is foundational to controlling who has access to operational information systems.

Knowing which users are allowed to have access to which information systems and aligning control withthe operational rules and access policies improves an organization’s security position and helps towardachieving regulatory compliance.

Domestic, industry related, and international regulations all have an impact on the actions thatcompanies must now take in order to remain compliant.

IAM can deliver services that are relevant to business improvement, continuity, protection andcompliance.


There is a growing need to provide IAM technology that delivers business improvement and continuitybenefits, and at the same time supports security and compliance demands.

Over complexity has been a problem in the IAM sector, therefore further improvement is needed tomake sure that good quality IAM services are also easy to use.

Government and industry regulations demand that organizations exercise proper control over customerand financial data and business-sensitive systems. The ability to identify and control user access isfundamental to achieving these objectives.



WWW.OVUM.COM

CHAPTER 4:

Identity services in the cloud


OVUM

4.1 Summary

Catalyst

We are entering an exciting period in the development of Internet identity services. They

promise greater convenience for users, higher conversion rates from enquiries to sales for

Internet merchants, and greater assurance for Internet-facing businesses, including

government websites. They offer increased scope for performing trusted and high-value web

transactions. However, “identity” comprises a portfolio of personal information – it is much

more than establishing a user’s name – and the centralization of a user’s Internet activities

around a single identity provider increases the risk of privacy violations and fraud based on

impersonating the real user. The industry must address the new risks that come with this

change.

Ovum view

The entry of the US government into the Internet identity services market, will kick-start the sector.Inevitably, the emergence of a large guaranteed federal market stimulates the supply side to meet thedemand. Already, the standards community has responded by defining a tiered model of different levelsof assurance, and the processes needed to underpin each level. Auditing standards to ensurecompliance with these standards are following.

The tiered model is crucial for the development of identity-providing services. It not only givesassurance to relying parties, it also provides a basis for determining the value of each band ofassurance. This, in turn, provides the basis for a business model for the providers and an appropriatelimit of liability for identity service providers.

Closed “circles of trust”, embracing collaborating organizations in a federated identity-sharing paradigm,have largely sidestepped issues relating to business models and liability because they are a partnershipof equals who all benefit from the collaboration. The participants are prepared to share risks and coststo enjoy the benefits of collaboration. This model will not, however, extend to working in the openInternet.

So far, we have not seen a viable business model for identity service providers. In future, the relyingparty will have to pay when people use an identity provider’s service to access the relying party’s site.The alternatives do not address the need. We cannot expect the identity subject to pay. Internet usersare extremely reluctant to pay for anything, and are particularly unwilling to pay for something thatseems like an administrative overhead. Today, many embryonic services rely on government subsidies,but this source of revenue will not grow; rather, it is likely to shrink. The advertising-funded model hasbeen tried but it is doubtful how far this model can be expanded in a privacy-sensitive area. Higherlevels of assurance incur higher costs and lower levels of exposure, since high-value services accountfor only a small proportion of Internet transactions. The advertising model will therefore not support acomprehensive identity provider sector. The only remaining source ofrevenue is the relying party. The relying party benefits from the assurancework that the identity provider has carried out, and from not having tomaintain its own identity ecosystem. This is the only viable business model.

Liability issues appear to be even more intractable than those of financingidentity services. However, this may not be the case in practice. We needto be pragmatic. We have lived with managed service providers of varioustypes for many years. None of them offer compensation based on theirclients’ business loss when their service fails. Identity providers must offercompensation for errors that is proportionate to the fees they charge for their service. This is the bestcompromise that is achievable; it is not the practice today, but it is affordable since it relates to revenuesand a provider’s ability to pay. It is only feasible where the relying party pays for the service, in order toestablish the parameters of the potential compensation payment.

CHAPTER 4: IDENTITY SERVICES IN THE CLOUD 4477

Liability issues

appear to be even

more intractable

than those of

financing identity

services.

Key messages

�� The need for an Internet identity is now recognized.

�� Several levels of identity assurance are needed.

�� Legal and commercial issues are still of paramount importance.

�� Technology is being developed for Internet identity.

4.2 The need for an internet identity is now

recognized

The Internet identity ecosystem

Today, identity resides largely in individual websites with no interaction between them. Users have toidentify and authenticate themselves to each site or service to gain access, ignoring those passiveinformation sites that have no access control. Once users have given personal information to a site,

they have no control over how the information will be used. Site operatorshave very little confidence in the accuracy of the information they are given.An identity infrastructure that works across sites must be based on policyand semantic interoperability. We therefore require standards that gobeyond the syntactic and semantic levels and embrace business processissues such as assurance, privacy, and liability. They must be both privacy-enhancing and cost-effective for both users and website operators.

The key elements of an Internet identity ecosystem are shown in Figure 4.2.1.Solid lines show mandatory flows, while dotted lines show alternative flows.


Once users have

given personal

information to a

site, they have no

control over how the

information will be

used.

Identity provider

Identity broker Identity subject/user Relying party

Identitycredential

Attributeselector

Required identityattributes

Session connectionis established

Figure 4.2.1 Internet identity

ecosystem Source: Liberty Alliance (Kantara)

The identity subject can request an identity credential satisfying the requirements of the relying partywith which they want to do business. This can be done either directly or through the services of anidentity broker. The subject then has the option of filtering out attributes in the credential that are notneeded by the relying party, if the protocols and the credential structure allow this. When the relyingparty is satisfied with the assurance it is given, it will open a session with the identity subject. The relyingparty may be able to share the credential with other relying parties to enable a single sign-on (SSO)session with multiple sites or service providers.

The business imperative

The Internet today is a wide-open, global communications medium. Most organizations have set upcamp on its infrastructure and started communicating with customers, potential customers, suppliers,business partners, and others. Many of them are conducting transactionsacross the medium. However, each of these “camps” is a silo, operatingindependently of other camps, apart from using the standardcommunications protocols that the Internet provides.

An interoperable identity infrastructure that would be recognized at multiplewebsites would provide a major advance towards a truly connected world.Businesses would be spared the cost of maintaining their own identitydatabases, users would find it easier to do business with multiple sites by avoiding lengthy registrationprocesses and by not needing to carry sets of credentials for every website they visit, and the overallsecurity of Internet transactions would be enhanced.

For example, in the legal profession, notaries are trying to move from paper-based to electronicbaselines. They are hampered by not having access to background databases for identity profiling.They could also validate electronically signed documents if there were highly dependable identityservices available.

The challenges

There are numerous difficulties facing those who seek to build such a vision,which have prevented progress over the last decade. The technicalobstacles have now largely been overcome, but the business issuesassociated with constructing such a “web of trust” are still formidable. Wemust look for an incremental development of identity services that willeventually gain sufficient momentum to become self-perpetuating. Businessissues include determining legal liability, the building of a viable businessmodel for identity providers, and understanding what an identity serviceactually delivers and what we mean by “identity”. The process of registeringindividuals in an identity service will inevitably remain one where businessprocess issues outweigh technical difficulties. We need standards,processes, and auditing frameworks to ensure a dependable quality.

Where the need lies

Today, identity providers are typically in the government, banking, and telecommunications sectors.Identity relying parties come from the same sectors and from the merchant sector.

Internet identity is gaining momentum

Despite the difficulties of finding a viable business model, reliably enrolling users, determining legal liabilityand understanding the role of an identity service, progress is now being made. The US government underPresident Obama has thrown its weight behind Internet identity services as ameans of encouraging citizens to interact with the government online, and ofcutting the cost of maintaining its own identity services by leveraging servicesin the private sector. Online services are generally cheaper to provide thanmore conventional forms of interaction between governments and citizens. Inaddition to the financial impact of the US government’s initiative, it is drivingstandards, and in particular, it has defined levels of trust that identity servicesmust deliver. The government’s four-tier model has won acceptance in thewider community and starts the process of determining the level of reliancethat can be placed on a particular identity providing service, and the level ofrigor that an identity service provider must use when registering a subject.Levels three and four of the authentication model apply to situations wherethe consequences of an error go beyond financial loss. These moves therefore establish a framework inwhich the business sector can start to build services.


The process of

registering

individuals in an

identity service will

inevitably remain

one where business

process issues

outweigh technical

difficulties.

The Internet today

is a wide-open,

global

communications

medium.

Online services are

generally cheaper

to provide than

more conventional

forms of interaction

between

governments and

citizens.

The OpenID movement has produced the most interoperable identity service so far. However, its initialobjective was to provide more convenient access to social networking services, and registration within

OpenID is largely self-certified. It is therefore aimed at applications wherethe requirement for assurance is relatively low. In its core sector, OpenIDhas been very successful. There are 250 million OpenID identities inexistence, and these are accepted at more than 10,000 websites.Nevertheless, OpenID credentials are accepted at some e-commercesites, which are reporting a higher rate of enquiry-to-sales conversions thansites that require proprietary registration. In this case, the benefits mainlyrelate to avoiding the need for users to remember multiple passwords anduser IDs. The security requirement is low, as the part of the sales processinvolving the payment card is not altered by the adoption of OpenID at the

entry to the website, and is still subject to the rules of the customer’s relationship with their card issuer.

Privacy and security concerns

The downside of Internet identity services is that they provide an accumulation of personal informationin a single location, and a single point of operational failure. Privacy concerns must be addressed.

A person’s “identity” is much more than a name tag. It comprises a repertoire of personal informationand a log of actions relating to the identity provider. When the identity provider expands its role toparticipate in transactions between the individual and other organizations, its view of the individualgrows significantly. It can track a person’s Internet behavior and relate this to the more static identityattributes that it holds. Identity abuse by identity providers threatens security as well as privacy. Eitherthe identity provider, a rogue employee, or some other hacker could misuse this information. They couldimpersonate the identity subject in fraudulent or criminal transactions, as they would hold both themeans of identifying and authenticating the victim. A rigorous code of conduct or a legal framework isneeded to protect privacy from this new threat.

The high-assurance identity market needs to move out of the public

sector

The identity service provider market is still in its infancy, and scarcely exists at the high end of the trustscale. The current user registration process of each organization is rarelyvisible outside of an organization; however, there are legal requirementsgoverning registration procedures in parts of the government sector, insome professional occupations including healthcare, and in the financialservices sector (as a result of anti-money-laundering regulations). High-trust inter-organization e-identity networks are mostly governmentregulated (for example, in defense clearance procedures), but the use ofgovernment-controlled schemes by the private sector is as yet very limited.More interoperability between the two sectors is needed. In the EU, peoplegenerally look to the government sector for trusted identities (for example, ID cards and passports),while the US government is actively seeking more involvement from private sector players.

4.3 Several levels of identity assurance are

needed

Online identity needs to follow successful models from the physical

world

The notion of having identities with different levels of assurance is sensible, and is consistent withtraditional human patterns of interaction. The definition of a system for categorizing an identity is a majorstep forward. As the notion of multiple tiers of identity assurance services gains acceptance, we are tyingthe concept of identity assurance more closely into a risk management context. This can be seen acrossthe world, as credit reference agencies play an increasing role in delivering identity assurance.


The OpenID

movement has

produced the most

interoperable

identity service so

far.

The identity service

provider market is

still in its infancy,

and scarcely exists

at the high end of

the trust scale.

Identity comprises a large range of personal attributes. No one supplier could provide a complete“identity” for an individual, even if the privacy issues resulting from such a concentration of personaldata could be resolved. The view of identity that an organization has of a particular individual is basedon the relationship that the individual has with the organization, as is the level of confidence that canbe placed on the identity. For example, the level of confidence that a bank has in a customer’s identitywill depend in part on how long the person has been a customer, and whether the bank has been theironly financial services provider. It will therefore not always be possible to provide a subject with thehighest levels of identity assurance.

Conversely, the relying parties have different needs for identity assurance, depending on the value ofthe transaction that they are engaged in and the risks associated with it. There is a need for a range ofidentity services, and the system can be made more cost-effective by spanning the spectrum from“cheap and cheerful” to “high assurance”.

Online identity requirements

The challenge for anyone trying to specify a system for online identities is to provide interoperability,usability, and transparency.

Online identities today typically give a low level of assurance, whereas thephysical world is characterized by high levels of identity assurance backedby organizations with substantial assets or interests at stake, issuingidentities that are accepted by other organizations, as well as long anddeep personal relationships.

OpenID shows the opportunities and the

challenges

Today, OpenID is often used as a second level of authentication in addition to a proprietary registrationand authentication process. While this gives it valuable exposure, it also shows the limitations that haveto be overcome if it is to replace existing processes.

OpenID was initially designed as a means to let people put comments on blog sites. You can use anaccount on one service as a means of logging on to another service. High-trust e-IDs are rare, but low-trust e-IDs can stimulate interest across the board. It has been shown that e-commerce sites accepting

OpenID get higher conversion rates from enquiries to sales than sites thatonly accept proprietary registration. Using OpenID in preference to abespoke identity repository also reduces support costs. High-trust OpenIDproviders, whose tokens can be reused more generally on other sites, arestarting to appear. They need an accepted standards framework todifferentiate their offerings from the mass of low assurance OpenIDcredentials in circulation.

The OpenID protocol lets users select the attributes of their ID that they wish to share. This is essentialto protect the privacy of the identity subject when they begin to interact with both high- and low-valuedomains. It also provides SSO to multiple sites and services. OpenID also provides brand promotionopportunities for identity service providers.

Experience of OpenID led to the specification of the OpenID ICAM profile,which is now specified in US government requirements.

Leveraging government standards

Standardizing identity and authentication processes strengthens securityand reduces costs. The US government has established itself as a leaderthrough its market power and is moving in this area before most otherorganizations.

The framework emerging from the US government envisages a four-tier model for categorizing identityprovider services, and this is winning general acceptance in the industry.


The OpenID protocol

lets users select the

attributes of their ID

that they wish to

share.

Online identities

today typically give

a low level of

assurance...

Standardizing

identity and

authentication

processes

strengthens

security and

reduces costs.

Credentials will need to be available with four levels of assurance to correspond to this standard.OpenID Exchange has set up a gathering of Internet and telephone companies to create a trustframework for use by multiple governments (initially the US, UK, Canadian, and Japanese

governments). Their criteria are in the public domain. These comprisetechnical standards and policy (rules and tools) that are certified by OpenIDExchange and based on standards that have emerged from bodies such asKantara.

Enterprises, like governments, have different types of resources to protectrequiring different levels of security, although level four assurance goesbeyond what most enterprises require, and most enterprises will only usethe first three levels of the model. International Organization for

Standardization (ISO) standard 29115 defines trust levels in user registration processes to support themodel. Most protocols can already communicate levels of trust within an identity credential. NationalInstitute of Standards and Technology Special Publication (NIST SP) 800-63-1 (the “ElectronicAuthentication Guideline”, published in December 2008) suggests authentication methods that areappropriate for each level of identity assurance, using single-factor and multi-factor authentication. Themodel is expressed in economic terms. NIST SP 800-63-1 also lists a spectrum of devices and theirunderlying technologies that can be used for each level of authentication. Thus, we now have guidelinescovering identification, registration, and authentication for a multi-tier model.

US government requirements have also driven cloud-related security standards such as SecurityAssertion Markup Language (SAML), InfoCards and Extensible Access Control Markup Language(XACML).

The PIV standards

Personal identification verification (PIV) provides interoperable and shared identification across theInternet and physical environments. It is discussed here because it is another manifestation of acommon identity infrastructure, driven out of US government programs,although it is not a basis for an Internet identity service extending into theconsumer sector.

The PIV standard started as a mandatory US government standard,introduced after 9/11 for identifying and providing credentials for federalemployees and contractors. It defined a standard process for issuing smartcards with public key infrastructure (PKI) and biometrics, incorporating thecard interface specified in Federal Information Processing Standards’(FIPS) 201 standard. It was designed to control logical access, emailsigning and encryption, file signing and encryption, network VPN access,and also to be used for physical access using procedures defined in NISTpublication 800-116. The American National Standards Institute (ANSI) isnow working to make it more applicable for enterprise use by producing a superset of FIPS 201. Thenew standard is known as ANSI Generic ID Card Specifications (GICS). This allows for extensions ofadditional data elements and applications. The Federal CIO Council has defined two extensions to PIVfor civil application: PIV-I (interoperable) and PIV-C (compatible). Pure PIV is expensive to implementas it has to satisfy secure government standards. PIV-I is based on federal standards so that it can beused in the federal infrastructure. It requires the identity management systems and processes to beexternally audited.

Therefore, PIV-C is of more interest to commercial organizations, as a means of providing strong butaffordable verification. PIV-C is supported in Windows 7 and enjoys widespread support, with the optionof adding biometrics and physical access controls, along with other applications. The smart cards stillhave to meet the PIV technical specification but the issuing process is more flexible. It provides strongauthentication for every application and access point. It can still support the protection of assets up tolevel four, and can be implemented using standardized and reliable middleware.


Enterprises, like

governments, have

different types of

resources to protect

requiring different

levels of security...

Personal

identification

verification (PIV)

provides

interoperable and

shared identification

across the Internet

and physical

environments.

PIV-C provides an enterprise with greater security, just as it does ingovernment organizations. Security is both strengthened and made moreaffordable through standardization using its pervasive infrastructure andopen standards. It enhances interoperability because it is designed forthird-party integration into identity management systems. It givesassurance that product components have met the specified standards, and

provides reliable middleware that is not limitedto specific use cases. The PIV Issuance modelrepresents best practice. PIV-C supports multiple authenticationmechanisms, including biometric and card-based approaches.

For the vendor, compliance with PIV-C opens up opportunities to sell to thegovernment as it is likely to be specified in future Federal AcquisitionRegulations.

The UK Police has adopted PIV-C, largely because it combines physicaland logical access controls. PIV-C allows BlackBerry email signing and support for mobile applicationaccess control out of the box. It closes the mobility cloud security gap in a way that is transparent to theuser. Furthermore, intense vendor competition for government contracts reduces the price.

EU OpenID trust profile project

This project extends work on building an identity framework into the realm of auditing identity providersand registration authorities. The need for a formal framework to regulate levels of trust has been afundamental stumbling block in previous attempts to establish Internet identity. Relying parties getconfused by the options and need a more “black box” approach. They need a trust framework in whichthe level of trust in an identity can be easily assessed. ISO 29115 may be the answer to this need, butthe framework should also clarify the roles of authentication provider andregistration authority. The EU has set up a project to address these needs,the evaluation of which is due in the first half of 2011.

4.4 Legal and commercial issues

are still of paramount importance

Business case development

Organizations in both the public and private sector want to embrace sharedservices from identity providers to achieve operational efficiencies, to raisesecurity levels, and to increase the use of their online services. Technologistshave made considerable progress in defining standards for interoperableidentities and developing secure protocols. However, while businesses arekeen to consume identity services, in terms of becoming “relying parties”, there remains the problem ofdetermining when you can trust the registration process of the identity provider. Closely associated withthis is the lack of a legal liability model that is acceptable to both sides in the identity services market.

These factors make it difficult to establish a business and financial case for becoming an identity provider.A business case for both identity providers and relying parties depends on generating excitement for theservice from potential personal users. Privacy is a core issue. It is essential to win the trust of users aswell as relying parties. The business case depends on each enrolled individual making frequent use oftheir identity services, both to ensure that identity providers’ assets are well used and that the relyingparty’s online business increases. Ease of use of an identity providing service is essential to generateincreased use of web services and increased conversion of browsing enquiries into e-commerce sales. It,in turn, depends on familiarity and frequent use, creating a potential “Catch-22” situation.


The UK Police has

adopted PIV-C,

largely because it

combines physical

and logical access

controls.

PIV-C provides an

enterprise with

greater security,

just as it does in

government

organizations.

Organizations in

both the public and

private sector want

to embrace shared

services from

identity providers to

achieve operational

efficiencies, to raise

security levels, and

to increase the use

of their online

services.

Commercial models

One size does not fit all needs in identity services. People may trust Google Apps, but Google ID stilllacks cross-enterprise credibility. The field today is largely government regulated and emphasizes

privacy. The need for identity services to support transactions is currentlylimited, but this will change in future; public/private sector interoperability isthe next step.

Today, Internet identity services are largely government-subsidized, ad-funded, or simply driven by enthusiasm. None of these will extend toproviding universal services. Users are reluctant to pay for online servicesof any kind, therefore the long-term business model must be funded by therelying parties.

The enterprise is a natural identity provider in the business context. It couldprovide services on the Internet, but the attributes required for businessand consumer activities are different, and social use of a business identitywould implicitly expose who the subject works for, while businesses baulkat the potential impact on their brand of association with uncontrolledprivate use of their service.

Below is an overview of the characteristics of some existing e-ID services, particularly in Europe:

� CardSpace is user-centric. The user establishes an identity by self-registration or by leveraging anexisting identity from another identity provider. Transactions will require identity cards that satisfycertain criteria to be used. There is not yet any business model for building on CardSpace. It is quitedifficult to set up.

� Google Apps work in the Web 2.0, cloud computing and software as a service (SaaS) domains.Again, identities are self-asserted or imported from other identity providers. Google Apps providestransaction authentication and authorization (OpenID and SAML-based), financed by advertising.Google promotes its use. Google policy governs privacy, and Google does not accept any liabilityfor errors, so it does not recommend the service for high-value transactions. However, the serviceis widely used in the education sector in the Netherlands.

� OpenID is mostly used in the Web 2.0 domain. Users self-register and identity is based on domainname servers. It is used for transaction authentication and profiling. Its business model is based onits low cost and its ability to increase website business. It offers limited privacy and trust.

� SURFfederatie is a Dutch universities scheme for the education domain. It reuses local userregistration and provides transaction authentication and authorization. Its business model is that ofa subsidized service. Privacy and trust are regulated through the existing practices of the educationsector.

� DigiD is used for government services for citizens in the Netherlands, with registration carried out bylocal authorities. It is used for transaction authentication. Its business model is government subsidy,and its identities are typically used only a few times per year for each citizen. Privacy and trust levelsare government controlled.

� BankID is a Swedish service used in the government and private sectors. Banks handle userregistration. It is used for transaction authentication, digital signing, and mobile e-identity. Thebusiness model is to target massive use over a wide range of transactions. Privacy and trust areregulated by the bank sector.

� The Estonian e-ID card is used for government services and trusted transactions, including thedigital signing of documents. Registration is carried out by local governments. The business modeltargets a large range of transactions, combining a small user fee with a larger service provider fee.The privacy and trust policy is regulated and run by a public/private consortium.


People may trust

Google Apps, but

Google ID still lacks

cross-enterprise

credibility.

The enterprise is a

natural identity

provider in the

business context.

Assurance versus privacy

The process used by identity providers to establish confidence in a subject’s identity involves an activityknown as “identity consolidation”. This brings all the available information itcan gather about a data subject into one place. There are clearly risks if thiscentral repository is breached.

An identity provider becomes a “single point of failure” from a privacyperspective, as both personal information and the user’s Internet behaviorhistory are concentrated in a single location. This issue will requireparticular attention.

“Minimal disclosure” is a means of distributing a set of claims under the user’s control, blanking outinformation in an identity certificate that is not relevant for the transaction that it is to be used for. Underthis scheme, the identity provider provides a credential to the identity subject, who controls itsrationalization to exclude unnecessary information. The technical challenge is to provide a way in whichthis can be done without breaking the digital signing of the credential. Microsoft’s U-Prove has achievedthis (see the chapter on U-Prove below for more details). It has the advantage of eliminatingunnecessary proliferation of personal information across the Internet, and that the identity claimsproviders do not know how the claim will be used.

Banking regulations

Online banks want to move from access control based on user ID and password but are wary ofcustomer resistance. Currently they have to do some authentication in house to satisfy regulatoryrequirements, so many think it is simpler to do all of the access control task in house than to split thetask with an external identity provider. This is slowing the growth in Internet identity services, as bankingcould be a “killer application” driving the sector.

Identity brokers

There is another potential role in the identity services market: an e-identity broker to select a suitableidentity provider for a particular situation. Such players could stimulate competitiveness in an open market.The brokers would have to be independent of the e-identity providers. When selecting an e-identityprovider for a particular purpose, the broker would need to classify each e-identity provider according toits intended domain of use, how users register, how authentication works at the time a transaction isperformed, the business model of the service, and the privacy and trust policy of the identity provider.

4.5 Technology is being developed for internet

identity

Open Identity Trust Framework

The OITF (Open Identity Trust Framework) is built on the principle of openness, and affordstransparency, accountability, and open competition. It consists of:

� A set of technical, operational, and legal requirements and enforcement mechanisms for partiesexchanging identity information.

� Oversight mechanisms to look after these requirements and mechanisms to support the flow ofinformation among users, identity service providers and relying parties.

The next step for the OITF is to look at governance, accountability, and what market structure is likelyto emerge.


An identity provider

becomes a “single

point of failure”

from a privacy

perspective...

The Federal Identity, Accessing and Credential Management (ICAM) Trust Framework comprisestechnical profiles for protocols (info cards, SAML 2.0, OAuth2 and WS-Fed), and policy comparability(covering the trust framework provider adoption process). So far, three trust frameworks are embraced:OpenID Exchange (OIX), Kantara, and InCommon. The ICAM Trust Framework is already working atlevel one of the trust model. It is developing procedures for levels two and three.

OASIS ID Trust

OASIS standards are widely accepted and tested for interoperability. Identity claims mechanisms arevaluable for preserving privacy and limiting the flow of personal informationto the minimum required by a relying party. Commercial off-the-shelfsoftware such as Microsoft Active Directory Federation Services (ADFS)supports OASIS identity claims mechanisms.

The ID Trust member section promotes standards-based identity and trustinfrastructure technologies, policies, and practices. CA and Red Hat are on

the steering committee, with many major vendors in the membership, such as EMC, GSA, HP, IBM, andMicrosoft.

Claims are statements made by one subject about another subject. No information needs to be heldwithin the claims service – it just has to handle the workflow between the identity provider and therelying party. There is a need for a claims API, a claims service, and an identity selector that can allowthe user to be part of the process by selecting how claims about them areto be satisfied. Cloud service providers are starting to support the model,but it is important to use widely accepted standards such as OASIS to avoidproprietary lock-in to a particular service.

U-Prove

U-Prove is a Microsoft technology that allows users to build electronictokens for specific transactions. X509 protocols use two unique identifiers:a public key and the Certification Authority signature of this public key. Theidentity provider provides attributes in signed form. U-Prove is designedwith “privacy built in”. It allows users to black out attributes that they do not want to forward, withoutwrecking the entire certificate signature. The relying party’s public key is hidden from the identityprovider; however, token attributes can be placed in an “attribute” field in the certificate.

U-Prove is published as an extension to CardSpace and Windows Identity Framework. Microsoft hasopen-sourced the crypto software development kits (SDKs). U-Prove provides:

� anonymized and pseudo-anonymized identity;

� full identification;

� accountability;

� minimized identity disclosure;

� user control over information disclosure;

� strong authentication;

� resistance to phishing attacks;

� efficient hardware protocols.

It is based on technology that Microsoft acquired with Credentia, and is currently available for trialonline. There is also the option to add a smartcard in the end-user device to protect against spyware.U-Prove still needs to go through the standards process (NIST or ISO), but a European standardizationprocess is already under way and is expected to take three years. The Microsoft standards team isworking in parallel with the European effort.


OASIS standards are

widely accepted and

tested for

interoperability.

U-Prove is a

Microsoft

technology that

allows users to

build electronic

tokens for specific

transactions.

National ID cards and mobile phone SIM cards

There are many authentication tokens in circulation, including national IDcards and mobile ID (namely SIM cards). Both need a smart card reader toconnect to a PC.

Mobile-phone-based identity services have only limited value. There is ahigh churn rate for mobile phones, making the ongoing cost of managingdevices high. The process surrounding the sale of a mobile phone does notgenerate high levels of identity assurance.

Combining PKI and IAM

While there is potential value in connecting digital certificate issuance and access management, thereare also counterarguments for keeping them separate.

PKI comprises components, processes, and policies to manage digital certificates. PKI could profit byenrolling people based on the registration process already done by an identity provider, andautomatically adopting any changes in this identity database. PKI could then issue certificates toservers used by the identity subject. PKI brings encryption and non-repudiation capability to supportonline transactions. Vendors that have adopted this combined view include:

� Entrust.

� Microsoft, which has linked its Identity Integration Server with its Certificate Lifecycle Manager in itsForefront Identity Manager.

� Cryptovision, which integrates with Novell identity management products, and also has prototypeintegrations with IBM products. User data are not passed to the Certification Authority.

However, there are no standards for connecting identity management and PKI, and security may bereduced by the integration. FIPS certification of products is difficult without a clear separation offunctions, and users risk becoming locked into proprietary technology. RSA Security is also movingaway from combining authentication and digital certificates.

Orange ID selector

Orange has a history of working as an identity provider:

� 2007: Orange externalizes Orange identity in OpenID.

� 2008: Orange opens its service to external identities.

� Second quarter of 2010: Orange allows users to use any identity.

Orange manages more than 100 million identity accounts across seven countries. SSO is providedthrough Liberty Alliance (Kantara) specifications. Network parameters are used implicitly in identificationand authentication. Over 185 services are federated to the identity platform covering web portalservices, widgets, desktop applications, VoIP, IPTV, WAP, and mobile applications, and Livebox homegateway applications.

The majority (90%) of Orange users avoid the need to enter usernames and passwords by using devicerecognition. The service doubled the usage of Orange communication services when it was introducedin France.

The relying party wants a diversity of identity providers, but the user wants to use the same provider asmuch as possible. The identity provider wants to play a role in as large a range of transactions aspossible. Orange ID Selector is a new tool in the authentication scheme. It is an agent that reconcilesthese views, and maintains a direct business relationship between the identity provider and the relyingparty. The user sees a single interface from which to select an identity. It is designed to be easy for arelying party to integrate with their system.


Mobile-phone-based

identity services

have only limited

value.

4.6 Recommendations


Both standards and technology are being developed for Internet user identity services. These aremainly of interest for communicating and transacting with people that have a shallow but financially orcontractually significant relationship with a provider; for example, they are more relevant forcommunicating with customers than with employees. When these services are more developed, theywill be attractive for relying parties, both in terms of cost and identity assurance. You must expect to payfor a dependable service, but the cost should be less than maintaining a proprietary registration,identification, and authentication regime. Take care to ensure that the business model, including theliability model, suits your business relationship. Also, be wary of mixing business and personal identitiestoo closely. Business identities, with the attributes appropriate for business relationships, are unlikely tobe adequately supported by public services. Identity federation across business partners is a betterapproach for corporate collaboration scenarios.


The identity services business cannot have a viable future without a universal basis for identityclassification, assurance, authentication and registration. An auditing framework will be needed tomaintain these standards. These standards are now emerging and all service providers should adhereto the common standards to maximize interoperability between service providers.

The “single point of failure” issue is a serious risk to the credibility of the sector. Suppliers must ensurethat the theoretical risks of concentrating identity information (including online behavior records) in asingle location do not become real risks. As well as maintaining the highest standards of security,auditing, and staff vetting, they should minimize the amount of information they hold, and distribute itaround their organization as much as possible.

The business model for the supply side is still far from clear, and this will determine the speed withwhich identity services develop. The role of the US government in the market will be crucial forstimulating the market, and Ovum anticipates that its impact will ripple out across the Internet into othercountries. Other governments are likely to follow its lead, although individually, their impact will belimited. User familiarity with services at the lower levels of identity assurance will help to stimulate themarket for higher value services.



WWW.OVUM.COM

CHAPTER 5:

Federated identity


OVUM

5.1 Summary

Catalyst

The role of federated identity management (FIM) is to provide functional and secure operational

environments where users of one business domain can seamlessly access the systems and

information of another. In business-to-business (B2B) relationships, the goal is to achieve these

objectives without having to stitch together separate identity management systems. The larger

requirement for federation extends beyond pure B2B relationships and takes into account the

needs of all consumer groups.

Ovum view

For systems users who struggle to maintain an ever-growing number of online identities in theirbusiness and private lives, the availability of effective FIM cannot come soon enough. The headlinessuggest that federation services support business efficiency, can deliver inter-company collaboration,and provide cost and efficiency savings by supplying the tools required to build connectivity betweenconsenting organizations. It sounds too good to be true and, unfortunately for the vast majority ofbusinesses and information users, that remains the case.

Five years ago, the hype cycle was at its height. Most leading identity andaccess management (IAM) vendors were giving the deployment offederated identity solutions a high priority. They saw federation as a wide-ranging opportunity to extend the scope of common IAM services such assingle sign-on (SSO) and user provisioning beyond corporate boundaries.After all, some of the required standards through OASIS with SecurityAssertion Markup Language (SAML) were already in place, and supportingwork from the respected Liberty Alliance was moving forward at a goodpace.

In the intervening years, progress has been slower than expected. Many ofthe reasons why are not uncommon to IT: systems complexity, largetechnology overheads, and unacceptably high project costs. On top of this, there has been a financial

downturn that has forced most organizations to cut back on new IT projectsand complex relationship and ownership issues specific to FIM.

Not all federation projects have been put on hold. There are a number ofgood examples of successful FIM deployments, especially in the financialservices, healthcare, and government sectors. Importantly, all of these aresectors do not engage with new technology until operational benefits havebeen proved to a high degree of certainty. The operational advantages ofproviding federated access to business information systems are not indoubt. What still needs to be addressed, if take-up rates are to improve, arecost justification issues and project complexity objections.

Ovum recognizes that business demand for FIM remains, but furtherchanges to the way that IAM services are delivered will be required to makefederation projects more attractive. Also, taking into account the time that

has already elapsed, the FIM value proposition is at a crossroads. Very large investments have beenmade by IAM vendors to ensure its success, and interest from public and private sector organizationsremains. Therefore, significant progress now needs to be made.

CHAPTER 5: FEDERATED IDENTITY 6611

Ovum recognizes

that business

demand for FIM

remains, but further

changes to the way

that IAM services

are delivered will

be required to make

federation projects

more attractive.

There are a number

of good examples of

successful FIM

deployments,

especially in the

financial services,

healthcare, and

government

sectors.

Key messages

�� Organizations can benefit from using a federated approach to identity management.

�� Drawing up clear rules of engagement is important.

�� Making better use of standards is the way forward.

�� Take-up has been slower than expected – higher levels of B2B usage are required.

5.2 Organizations can benefit from using a

federated approach to identity management

Federation offers advantages and convenience to enterprises and users

Organizations continue to look for innovative and effective ways to deliver their services. Theautomation of operational systems together with the ability to collaborate and share vital informationwith business partners is one important way of achieving those objectives.

The use of technology allows businesses torun lean and efficient supply systems. Tosupport this approach, organizations rely on allrequired components being available at theoptimum time. Having full visibility of stocklevels, product delivery dates and new pricingtariffs, among others, even when that

information is the property of a partner organization, adds real value todecision-making processes.

The operational requirement is for secure open access to shared businesssystems to be assured for authorized users, and for accurate information tobe made available whenever it is needed. Within the IAM product portfolio,FIM technology is used to help deliver collaborative services to groups thatwish to share business information using common access andauthentication approaches.

FIM technology can be used to create local as well as global interoperability between online businessesand trading partners using agreed identity management approaches. Utilizing an SSO approach, itallows users to move between business systems of their own organization and beyond corporateboundaries to access third-party systems.

Sharing information resources is not a new concept

The concept of federation is not new. Organizations have always shared process information using avariety of approaches, governments authenticate their citizens to travelacross borders using passports, and banks and retailers accept credit anddebit cards as proof that the owner has the right to purchase goods acrossall suppliers that accept the credential.

The advantages that federation provides add process, operability, and controlto the interactions between organizations and their users. Setup and usageneeds to be based on business requirements, regulatory controls and

technology-driven agreements that allow companies to interoperate based on shared identity management.


The use of

technology allows

businesses to run

lean and efficient

supply systems.

Organizations have

always shared

process information

using a variety of

approaches...

FIM technology can

be used to create

local as well as

global

interoperability

between online

businesses and

trading partners

using agreed

identity

management

approaches.

To prove effective, the advantages to the organizations involved should include a lowering of overallidentity management costs and operational efficiency improvements through the use of extended SSOfacilities, which also helps to deliver a better user experience for all.

In order to provide secure service delivery and information access, the FIM methodology leveragessecure identity portability by simplifying administration across business boundaries. The approach hasto have the ability to operate using common and agreed rules, access policies, and authentication thatfulfills the operational requirements of each partner in the relationship.

For federated identity management to be effective, partners must

share a sense of mutual trust

The success of any federated identity project relies on two things: a bondof trust existing between the parties involved, and technology controls toensure that trust is maintained. Organizations that agree to shareinformation must put in place processes that control who the authorizedusers are, what type of authentication will be required to allow access, andhow those controls will be maintained.

The trust element remains important because each organization relies onits partner to maintain standards, control their users, and ensure thatprovisioned access rights are kept up to date. The issues that need to beaddressed involve information security, regulatory compliance, and auditrequirements. Trust between the parties involved forms the foundation oftheir operational relationship, but realistically, more contractually bindinglegal ties between the parties involved will normally be part of any formalagreement.

Authentication data can be passed across secure domains to business

partners, enabling SSO to extend beyond organizational boundaries

FIM is not set up to be an SSO client, server, or application, and does not deliver SSO in its own right.However, through integration with IAM and the use of standards-based approaches such as SAML,common user access across participating domains is achieved.

Using a standards-based approach, FIM enables a user’s authenticated identity in one domain to beaccepted for access to resources in another without the need for re-authentication. Delivering extendedSSO controls provides operational efficiency savings that are valuable to users and participatingorganizations. The additional ability to keep user and usage definitions up to date dynamically, withoutfurther intervention, also helps to make federation a justifiable investment when the primary advantagesare aligned with the shared operational goals of the businesses involved.

Real-time communications technology allows business processes to be directly integrated acrosssystem and business boundaries, while security considerations dictate that good-quality identity-basedaccess controls must be in place to protect business assets from compromise.

Security should not hold back the sharing of inter-company

information flows

It is not acceptable in today’s online trading climate for security to be seen as putting up unnecessarybarriers, especially if those barriers cause operational performance to suffer.

It is clear that the security elements of IAM that control which users are allowed to have access toinformation sources must be retained and strengthened within federated relationships. Nevertheless, abalance that allows operational efficiency alongside levels of systems and information protection thatall parties can agree on needs to be set.


The trust element

remains important

because each

organization relies

on its partner to

maintain standards,

control their users,

and ensure that

provisioned access

rights are kept up to

date.

5.3 Drawing up clear rules of engagement is

important

Trust is a vital component of successful federated relationships

As discussed earlier, among the core requirements of identity federation is the need to set up trustrelationships between participating organizations. At the very beginning of a project, clear rules ofengagement need to be drawn up and, dependent upon the relationships involved and any associatedregulatory issues, agreements may well need to be legally enforceable.

This is important because identities defined within one organization in a federated relationship are goingto be accepted by the other as valid and therefore trusted. As such, a strong business foundation to therelationship must exist before things can go forward.

FIM supports loosely coupled through to legally binding relationships

Gaining a full and agreed understanding of the way that a particular relationship is going to operate isessential. For example, it is crucial to know how the relationship will be aligned between the parties

involved. Will it be federated as a genuinely collaborative, loosely coupled,many-to-many FIM environment, where the circle of trust is an evolvingenvironment that is flexible and open and can be added to as the needarises? Or, will it be on a more fixed footing, where relationships need to becontrolled by a set of formally defined processes that involve fixed accessrules and usage policies?

There are also other options, such as one dominant player owning anddictating how a relationship will operate. This could reasonably bedescribed as a master-to-slave environment, where one principal takesresponsibility for defining, owning, and controlling how relationship serviceswill operate, with other group members being expected to comply.

When deciding how FIM relationships will operate and what controls are needed to deliver the servicesuccessfully, as a minimum, the following issues should be taken into account:

� Which organization owns and controls the relationship?

� Will this be an open or closed project?

� What type and range of collaborative interactions will be involved?

� How will the project be managed and how will management changes be controlled?

� In either open or controlled FIM projects, how will new organizations joining an existing group beadded, and how should they be treated?

� How will the issue of individual organizations leaving a relationship be handled and what controlsneed to be applied to make this a safe process?

� What happens when the relationship comes to an end? Can it be easilywound up and what issues need addressing when it is?

Federation brings B2B relationships up to date

The use of federation based on shared identities and SSO controls bringsinter-company alliances up to date. When extending businesscollaborations beyond straightforward one-to-one relationships, FIM alsoprovides the opportunity for more complex associations – often known as“circles of trust” – to be set up.

As shown in simple diagrammatic form below, connected circles of trust can be defined to support avariety of federated business relationships. For users and their organizations, each approach supportsSSO pass-through at the point of assertion between each participating organization.


Gaining a full and

agreed

understanding of

the way that a

particular

relationship is going

to operate is

essential.

The use of

federation based on

shared identities

and SSO controls

brings inter-

company alliances

up to date.

Governing entity approach – the collaborative model

As shown in Figure 5.3.1, a group of founders (the governing entity) forms a management relationshipthat establishes the rules and policy controls for ongoing membership that govern how a federatedidentity group operates. This could be seen as a complex approach to collaboration, as each memberhas approval rights, but it can also offer flexibility and control when determining the ability for membersto leave and new members to be admitted into the group.


Governing entity

Figure 5.3.1: Governing entity approach Source: Liberty Alliance (Kantara)

Founder approach – the consortium model

A fixed number of founders (the consortium) form an association using an agreed multi-party contract thatsets the rules that govern the relationship. Control stays with the founding members. As shown in Figure5.3.2, this is a form of FIM that operates effectively in closed environments. However, the approach appearsto have restricted flexibility when looking at break-up requirements or the addition of new members.

M

ulti-party Contract

Figure 5.3.2: Founder approach Source: Liberty Alliance (Kantara)

Single founder approach – centralized model

As shown in Figure 5.3.3, a single founder sets the rules of engagement for membership to the groupthat it controls. From its position of strength, the owner agrees new federated relationships with othergroup members on the terms that it controls and chooses to make available.

Organizations also profit when consumers are able to reap the

benefits of a federated SSO culture

FIM is not restrictive. Its use is not constrained to B2B interactions.Business-to-consumer (B2C) relationships, where the consumer is acustomer or citizen, can provide substantial benefits if common usercredentials that are acceptable to one public or private sector domain canalso be accepted by one or more partner organization.

In whatever environment it is used, a federated identity represents a singleresource that can be used to access multiple applications or websites thatare grouped together by the ties of federation. As is the case in business,without FIM, users are required to manage different credentials for everyapplication or website they use.

Consumers are further disadvantaged

In our private lives, multiple passwords and access codes are just as difficult to maintain as they are inB2B relationships. In fact, due to irregular use and fragmented relationships between user and serviceprovider, the lack of control is more likely to lead to identities being compromised and to identity theft.

FIM builds on a trust relationship between organizations and their users. Federated identity makes itpossible for consumers to use this same trust relationship to access information with other relatedorganizations without needing new credentials.

This is an area of identity federation that is currently being discussed by commercial organizations andgovernments, with both the public and private sector recognizing the potential value that could begained.


Founder

Figure 5.3.3: Single founder

approach Source: Liberty Alliance (Kantara)

In whatever

environment it is

used, a federated

identity represents

a single resource

that can be used to

access multiple

applications...

For private users, making federation work as securely as possible is extremely important. In thiscontext, trust remains a key issue. Standards organizations and commercial suppliers have developedarchitectures and tools to encourage federated identity, but as yet, theyhave failed to adequately address the trust issues.

Microsoft’s .NET Passport was an early example of a supposedly trustedsource that would provide the ability to work with both a common andsecure set of user credentials, and open standards developed by theLiberty Alliance were also prominent at the time. Perhaps because of theirproprietary nature, or more likely because of a lack of trust, these earlyapproaches failed.

OpenID is addressing some of the early adopter issues for public and

private identity usage

The OpenID initiative remains the current usage contender. It is a decentralized SSO authenticationsystem for the Internet and its objective is to enable users to log on to websites using a single secureidentity. To achieve this, users must initially register with a website that supports OpenID. For example,AOL users can make use of their existing identities, because AOL already supports OpenID. There areover a quarter of a billion OpenIDs in existence, and well over 10,000 websites that accept them.

OpenID is at the early adopter stage, but as usage matures, it is likely to become more commerciallyattractive as a trusted identity provider service. Important operational and security issues that need tobe resolved include domain name server (DNS) spoofing weaknesses. The adoption of closer SAMLlinks would be advantageous.

5.4 Making better use of standards is the way

forward

Standards organizations are developing architectures and tools to

encourage federated identity

The successful delivery of federated identity across the shared domains of business partners relies on SSOthat can be used with different infrastructures and a common and acceptably secure authenticationapproach. A common approach is required because it has to be acceptable to all parties that allow accessto their systems and secure enough to satisfy each organization’s risk profile and compliance requirements.

Because of its consistent approach, SSO is the key enabling technology forthe delivery of FIM and is the point at which the development of federatedidentity standards begins.

If organizations wish to access the information systems of their businesspartners or share the content of their own information systems withauthorized parties, there is a compelling argument to have in placestandards that will allow singly sourced user access across all domains.Furthermore, the requirement should be capable of evolving beyondindividual project collaborations. It should take in the requirement for astandards-based approach to SSO that can be accepted by allorganizations that choose to participate. Hence, the various circle of trustapproaches that have already been discussed.

The demand for a consistent set of standards that will allow organizations to participate in federatedrelationships with business partners has existed for several years. Some progress has been made,albeit initially vendor-driven and grouped around existing alliances between interested identitymanagement and web access security groups such as OASIS, Liberty, and WS-I.


The demand for a

consistent set of

standards that will

allow organizations

to participate in

federated

relationships with

business partners

has existed for

several years.

For private users,

making federation

work as securely as

possible is

extremely

important.

OASIS and Liberty provided the lead in developing standards for

federated identity

SAML is the driving force

SAML is the mature XML-based standard, defined by OASIS. It is now in its third major release (v2.0)and is used to support the management and use of identities that need to be portable across

organizational boundaries and to separate websites. Its use is designed tosupport secure B2B and B2C transactions.

Trusted assertions are a key concept in SAML. They represent a claim thatis made when an identity wants to access something such as a website orapplication, and undertake a task. Importantly, at the point of access,

assertions can be challenged and within the common rules of a federated relationship, found to beacceptable or not.

To achieve these objectives, SAML specifies three components: assertion,protocol, and binding. Within these components there are three assertionsubsets: authentication, attribute, and authorization. Authenticationassertion validates the user’s identity, attribute assertion contains specificinformation about the user, and authorization assertion identifies what theuser is authorized to do. Hence, the direct associations with federatedidentity, where protocols define how SAML asks for and receives assertionsand binding controls how SAML message interactions are mapped toSimple Object Access Protocol (SOAP) exchanges.

One of the core strengths of SAML is its ability to interoperate with multiple communications protocols,including hypertext transfer protocol (HTTP), simple mail transfer protocol (SMTP), file transfer protocol(FTP) and also support the key operational protocols such as SOAP, BizTalk, and electronic businessXML (ebXML).

Liberty adds solidarity and consistency

Not always as swiftly as business organizations would have liked, but solidly and consistently, theLiberty Alliance has worked to improve the way that identity management has developed. Its strategicapproach has allowed the Liberty Alliance to focus attention on current and emerging issues in identity.The special interest structure of the organization has enabled the development of expert groups thatfocus on specific areas, producing output for public consumption including technical specifications,white papers and policy guidelines.

The areas covered by Liberty special interest groups include vertical and horizontal identitymanagement issues such as healthcare identity management, e-government, identity assurance,identity theft, and federated identity.

Liberty was formed by a consortium of mainstream technology vendors and end-user organizations.The early work undertaken by its special interest group for FIM focused on its associations with OASISand on defining, improving, and extending its own standards and how these would work with SAML.

Now operating under the Kantara umbrella (from mid-2009, Liberty transitioned its responsibilities to theKantara Initiative), the ongoing requirement is to tighten its SAML definitions and add value byincorporating specific web services security standards that are supported by major players, includingIBM and Microsoft.

Through the achievements of various Liberty Alliance special interest groups, frameworks that addressfederation, identity assurance, identity governance and identity web services have been developed andreleased. Conflicting issues remain and still need to be addressed, but for a period of almost a decade,Liberty took overall responsibility for developing usable standards for FIM.


Trusted assertions

are a key concept in

SAML.

One of the core

strengths of SAML is

its ability to

interoperate with

multiple

communications

protocols...

Liberty promoted ID-FF, ID-WSF, ID-WSF DST and ID-SIS

FIM was an early driver behind the formation of the Liberty Alliance in 2001. Its approach to thedevelopment of standards recognizes the importance of collaboration,trust, and agreement within B2B relationships and the need for commonidentity convergence. One of the FIM group’s last acts before the handoverfrom Liberty to Kantara was to submit the final version of specifications foridentity federation framework (ID-FF) 1.2, to OASIS for inclusion in SAML2.0.

The latest ID-FF specification contains the core requirements that allow forthe creation of a standardized, multi-vendor identity federation network.The group also confirmed support for SAML 2.0 in its identity web servicesframework (ID-WSF) standards, thereby completing the solution cycle forweb services down to deployment level.

The importance of the FIM standards work that Liberty has undertakensince its inception cannot be overstated, and can be better understood by detailing the respective rolesof its core initiatives:

ID-FF

The Identity federation framework supports the sharing of an entity’s identity between domains tofacilitate SSO between consenting parties in a federated relationship. Itspecifies the requirements for using a common authentication approachacross multiple sites within an organization, and can also be used to extendcollaborative relationships across third-party domains using openstandards.

A federated network identity can be defined as the combination of differentidentities: passwords, software and hardware tokens, and other attributesknown to all the organizations that are part ofan agreement to provide collaborativeservices. Liberty’s ID-FF architecturedescribes a schema that is intended to provideeach identity holder with common andconsistent control, better privacy, and fewerrequests for the reconfirmation of theircredentials.

ID-WSF

The identity web services framework provides a set of specifications thatsupport and promote the use of secure web services. ID-WSF wasdeveloped as part of Liberty’s phase two specifications which added to the earlier ID-FF release. As hasalready been identified, ID-FF focuses on federating the user’s authentication and SSO, whereas ID-WSF defines specifications for web services in a federated environment.

Among the key issues addressed by ID-WSF specifications is that of maintaining a federatedenvironment for establishing trust between all participating entities without the need to reveal aparticipating user’s identity. The diagram in Figure 5.4.1, provided by the Liberty Alliance, illustrates therelationship between entities in such an environment and adds a practical structure to the conceptualcircle of trust diagrams shown earlier in the paper.

Important drivers within ID-FF and ID-WSF include separate roles for service providers and identityproviders. Although not necessarily different entities, in their role of identity provider, theseorganizations can perform the initial authentication and vouch for the customer to the service provider.To make this approach work, other service providers would then need to trust the identity provider.


The Identity

federation

framework supports

the sharing of an

entity’s identity

between domains to

facilitate SSO

between consenting

parties in a

federated

relationship.

The latest ID-FF

specification

contains the core

requirements that

allow for the

creation of a

standardized, multi-

vendor identity

federation network.

The identity web

services framework

provides a set of

specifications that

support and

promote the use of

secure web

services.

ID-WSF DST

The identity web services framework, data services template (ID-WSF-DST) framework specifies thedata layer that can be extended by any instance of a data service.

An example of a data service could be an online corporate directory. When a user needs to contact acolleague, they can conduct a search based on the individual’s name and other known elements of theircorporate identity. The data service returns information associated with that individual.

Information provided could include office location, contact number, job title, and department. ID-WSF-DST provides the data model and required message interfaces. Figure 5.4.2 illustrates how the Libertyaccess manager uses the ID-WSF-DST framework for data services.

The web services framework in access manager uses the Liberty ID-WSF-DST to develop dataservices. Within the framework, Liberty access manager, personal profile service (PPS) and Libertyemployee profile service (EPS) were developed on top of the web services framework, and allowadditional data services to be developed by end-user organizations.


Circle of trust

Principal

Service provider

Identity provider

Identity-basedweb service providerCustomer

EmployeeGame user...

Web contentGamesMerchant site...

AuthenticationFederationDiscovery servicePersonal profile...

GeolocationPayment...

Figure 5.4.1: Relationships within a

circle of trust Source: Liberty Alliance (Kantara)

ID-SIS

The Liberty identity service interface specification (ID-SIS) operates with ID-WSF and ID-FF to providenetworked identity services, such as contacts, presence detection, and directory services, that dependon the consistent use of a network identity.

The SIS component contains two relevant specifications. Firstly, ID-SIS personal profile (ID-SIS PP),which is a web-service-based offering. It provides user profile information such as name, identity, andcontact information. It can also contain contact numbers, email details and other information such asemployment and public key details. The second component, ID-SIS employee profile (ID-SIS EP), is aweb service that provides basic employee profile information using the same structure as the ID-SISPP approach.


Liberty ID-SIS data services

Liberty web services framework

Libertypersonal profile

service

Discoveryservice

SOAPbinding


service

Liberty ID-WSF data services template specification


service

Figure 5.4.2: Liberty identity web services,

data services template framework Source: Liberty Alliance (Kantara)

The role of the Liberty Alliance has transitioned to Kantara and OASIS,

and other interest groups are co-operating

The future of federated identity standards is transitioning from being under the control of a number ofdisconnected groups that for many years had gone their own way. Some progress is being made towarda position where these groups are working together to collaborate on common areas of interest.

OASIS with SAML, and Kantara (formerly the Liberty Alliance) with its federated identity interest groupwork, are becoming increasingly integrated in their approaches. Of late, there has also been a closingof the gap between the WS-Federation and the rest. However, nervousness remains that futuredevelopments may not continue in the same direction and there will remain a need for the suppliers ofIAM- and FIM-based technology solutions to continue to incorporate the contributions from all majorstandards authorities.

5.5 Recommendations


The use of good-quality FIM technology allows business organizations to run lean and efficient supplysystems.

Organizations continue to look for innovative and effective ways to deliver their services. Theautomation of operational systems and the ability to collaborate and share information using FIM is oneway of achieving these objectives.

FIM technology can be used to create local as well as global interoperability between online businessesand trading partners using agreed identity management approaches.


Competing vendors and end-user organizations have taken too long to agree on unifying IAM and FIMstandards. Better and more effective answers are still needed.

Vendors continue to give the deployment of federated identity solutions a high priority, but must addressthe fundamental cost and complexity issues that are slowing down take-up.

To address business resistance to FIM, vendors need to work towards developing federationtechnology that can sit alongside their existing identity management SSO and provisioning deploymentsas an easier-to-use and simpler-to-deploy package.



WWW.OVUM.COM

CHAPTER 6:

Technology comparison


OVUM

6.1 Summary

Catalyst

To provide a comprehensive analysis of the competitive landscape in the identity and access

management (IAM) market, Ovum has developed its IAM Decision Matrix. This report explores

the competitive dynamics within the IAM market and helps businesses select a vendor based on

technology strength, impact in the market, and reputation among customers. Ovum provides a

complete view of vendor capabilities and advises on those you should explore, consider, and

shortlist.

Ovum view

The core elements of the IAM market are considered to be mature. However, vendor investment andinnovation carries on as the leading vendors continue to acquire additional technology and extend thescope of the market. Several software conglomerates dominate the IAM sector and over the last threeyears, the number of specialists has declined. However, a number of smaller best-of-breed playersremain to serve specific niches areas, such as strong authentication, provisioning services, andprivileged user controls. Ovum believes that there is the potential for some of these specialist vendorsto compete and grow their market share.

Key messages

The following trends summarize the competitive dynamics of the IAM market:

�� CA, IBM, Novell and Oracle provide the most extensive technology solutions,and as such, dominate the sector.

�� Competition between the leading players is strong, especially in highlyregulated verticals such as financial services, healthcare, and government.

�� Although vendors prefer to talk about large-scale, enterprise-widedeployments, the majority of IAM implementations remain at a strategic level.

�� Microsoft has achieved good penetration in the small to medium enterprisemarkets.

�� RSA remains the dominant player in enterprise authentication.

�� Entrust, Evidian, and Hitachi represent the smaller IAM vendors, but should beseriously considered because of the impressive nature of their respective IAMsuites.

�� BMC does not have a technology audit in this report because its IAM strategyhas changed. It now markets its IAM product as a component of its BusinessService Management (BSM) offering.

CHAPTER 6: TECHNOLOGY COMPARISON 7755

6.2 IAM Features Matrix

Features Matrix methodology

Through a combination of one-to-one interviews, product evaluation, and deep background research,Ovum analysts have compiled a comparative product analysis and comprehensive features matrixacross nine major IAM categories:

� Authentication technology covers specific areas such as the provision of strong authentication,biometrics, token-based solutions, smartcard authentication, support for mobile devices, and theability to support physical and logical authentication using a single approach.

� Enterprise and web single sign-on (SSO) breaks down into SSO capabilities to cover the key areasof enterprise SSO and web SSO.

� User provisioning and role management deals with the requirements to set up, maintain, andultimately remove services from individuals and user groups, and also covers the need for role-based management services.

� Password management takes into account core identity management services that cover areas suchas password frequency change controls, content controls, structure controls, and the automaticgeneration of system controlled passwords.

� Access control covers key IAM capabilities such as centrally controlled access management, policy-and rules-driven controls, administrator rights, and the ability to reduce and control specificadministrator capabilities, including the segregation of duties.

� Federated identity management (FIM) deals with the control of inter-company and third-partyrelationships covering issues such as support for members of a federated circle of trust, contactrelationships with partners, and the provision of support for local policy controls as users moveacross third-party facilities.

� Administration and policy management covers both central and locally controlled and delegatedadministration responsibilities.

� Infrastructure supported covers a wide variety of areas, including directories, operating systems,application platforms, web servers, and communications protocols.

� Standards and authorities. A wide range of appropriate authorities and standards such as Kantara(formerly the Liberty Alliance), Security Assertion Markup Language (SAML) and a whole host ofothers are compared.


Features Matrix


CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

AUTHENTICATION TECHNOLOGY

Authentication

capabilities

supported:

Two-factorauthentication

O Y Y Y Y

Token-basedauthentication

A Y Y A Y

Smartcardauthentication

A O Y A A

Mobile and smartphonebased deviceauthentication

A Y O Y A

Physical and Logicalauthentication from asingle approach ordevice

A A Y Y A

Use of variableauthentication levelsdepending on theactions that the userwishes to perform

Y Y Y Y Y

Authentication types

and secure access

channels owned and

delivered as part of

the core IAM

solution:

Fixed Passwords Y Y Y Y Y

One-time generatedPasswords

Y Y Y Y Y


Y Y Y Y A

Biometrics Y A Y Y A

Mutual GridAuthentication (serialnumber and locationreply)

Y Y N N Y

Mutual Site Validation(site validates uniqueresponse back to user)

Y Y N N Y

TAN and paper-basedTransactionAuthentication

Y Y N Y Y

Machine Authentication(user pre-registeredmachines)

Y Y N N Y

Scratch Cards Y Y N Y Y

Certificates X.509 Y Y Y Y Y

GrIDsureauthentication

N N N N Y

Knowledge-basedAuthentication(previously registeredresponses)

Y Y Y Y Y

Other importantauthentication formssupported: Risk-based

Y Y Y Y 0

Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

AUTHENTICATION TECHNOLOGY

Authentication

capabilities

supported:

Two-factorauthentication

Y Y Y Y

Token-basedauthentication

Y Y A Y


Y Y A Y

Mobile and smartphonebased deviceauthentication

A Y A Y

Physical and Logicalauthentication from asingle approach ordevice

A Y A N

Use of variableauthentication levelsdepending on theactions that the userwishes to perform

Y Y Y Y

Authentication types

and secure access

channels owned and

delivered as part of

the core IAM

solution:

Fixed Passwords Y Y Y Y

One-time generatedPasswords

Y Y Y Y


Y Y A Y

Biometrics O Y A A

Mutual GridAuthentication (serialnumber and locationreply)

N Y N Y

Mutual Site Validation(site validates uniqueresponse back to user)

N Y Y Y

TAN and paper-basedTransactionAuthentication

N Y N N

Machine Authentication(user pre-registeredmachines)

Y Y Y Y

Scratch Cards A Y A N

Certificates X.509 Y Y Y Y

GrIDsureauthentication

A N N N

Knowledge-basedAuthentication(previously registeredresponses)

Y Y Y Y

Other importantauthentication formssupported: Risk-based

O N Y Y


CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

ENTERPRISE AND WEB SINGLE SIGN-ON (SSO)

FOR ENTERPRISE SSO USAGE

Provide Support for: Centrally managedSSO services

Y A Y Y Y

Distributed and locallydelegated SSOservices

Y A Y Y Y

Desktop and laptopSSO access

Y A Y Y Y

Employee access Y A Y Y Y

Fixed term access withautomated de-provisioning (e.g.contractor access)

Y A Y Y Y

Customer access Y A Y N Y

Partner organizationaccess

Y A N N Y

Provide Facilities

across:

Trusted internalnetworks

Y A Y Y Y

Trusted externalenterprise networks

Y A Y Y Y

Trusted partnernetworks

Y A Y Y Y

Authorised B2Bnetworks

Y A Y Y Y

Support for applicationlevel SSO

N A N Y Y

Support for mobilesessions acrossdifferent workstations(e.g. healthcareworkers)

N A N N Y

Security facilities

available:

Provision of EncryptedDirectory Protection

Y A Y N Y

Secure login services –use of secure loginscripts

Y A Y Y Y

Minimum SSOstandards – use of two-factor Authentication

Y A Y N Y

Logoff warning settings Y A Y N Y

individual user or grouptime settings

Y A Y N Y

Automated terminallocks based on the useof proximity cards

Y A N N Y




Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

ENTERPRISE AND WEB SINGLE SIGN-ON (SSO)

FOR ENTERPRISE SSO USAGE

Provide Support for: Centrally managedSSO services

Y Y Y N

Distributed and locallydelegated SSOservices

Y Y Y N

Desktop and laptopSSO access

Y Y O N

Employee access Y Y Y N

Fixed term access withautomated de-provisioning (e.g.contractor access)

Y Y Y N

Customer access Y Y Y N

Partner organizationaccess

Y Y Y N

Provide Facilities

across:

Trusted internalnetworks

Y Y Y N

Trusted externalenterprise networks

Y Y Y N

Trusted partnernetworks

Y Y Y N

Authorised B2Bnetworks

Y Y Y N

Support for applicationlevel SSO

Y Y Y N

Support for mobilesessions acrossdifferent workstations(e.g. healthcareworkers)

Y Y O N

Security facilities

available:

Provision of EncryptedDirectory Protection

Y Y Y N

Secure login services –use of secure loginscripts

Y Y Y N

Minimum SSOstandards – use of two-factor Authentication

Y Y Y N

Logoff warning settings Y Y Y N

individual user or grouptime settings

Y Y Y N

Automated terminallocks based on the useof proximity cards

A N N N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued)

FOR WEB SSO USAGE

Provide Support for: Web-based employeeaccess

Y Y Y A Y

Business partneraccess

Y Y Y A Y

Known customer/clientaccess

Y Y Y A Y

Unknown customeraccess

Y N Y A Y

Centrally managedSSO services

Y Y Y A Y

Distributed and locallycontrolled SSO services

Y Y Y A Y

SAML Y Y Y A Y

WS Federation Y N A A Y

Provides extended

Support for:

Software as a Service(SaaS) environments

Y Y Y A Y

Outsourced services Y Y Y A Y

Out-of-the-boxIntegration with otherthird-party AccessManagement systems

N Y Y A Y

Two factorauthentication

Y Y Y A Y

Tokens that carry useridentity information

Y Y Y A Y

Working within Webservices environments

Y Y Y A Y

Security facilities

available:Secure login services –use of secure loginscripts

Y Y Y A Y

Logoff warning settings Y Y Y A Y

The creation and useof security certificates

Y Y Y A Y

Operate as a WS-TrustSecurity Token Service

N N A A Y

Allow the importationand creation ofuser/partner securitycertificates

Y Y Y A Y

Accept and supportautomatic notificationswhen user/partnersecurity certificates areabout to expire

Y Y A A Y

Controlling user accessto web servicesthrough the corporateSSO infrastructure

Y Y A A Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued)

FOR WEB SSO USAGE

Provide Support for: Web-based employeeaccess

Y Y Y Y

Business partneraccess

Y Y Y Y

Known customer/clientaccess

Y Y Y Y

Unknown customeraccess

Y Y Y Y

Centrally managedSSO services

Y Y Y Y

Distributed and locallycontrolled SSO services

Y Y Y Y

SAML Y Y Y Y

WS Federation Y Y Y Y

Provides extended

Support for:

Software as a Service(SaaS) environments

Y A Y Y

Outsourced services Y Y Y Y

Out-of-the-boxIntegration with otherthird-party AccessManagement systems

Y N Y Y

Two factorauthentication

Y Y Y Y

Tokens that carry useridentity information

Y N Y Y

Working within Webservices environments

Y Y Y Y

Security facilities

available:Secure login services –use of secure loginscripts

Y Y Y Y

Logoff warning settings Y Y Y Y

The creation and useof security certificates

Y Y Y Y

Operate as a WS-TrustSecurity Token Service

Y Y Y Y

Allow the importationand creation ofuser/partner securitycertificates

Y Y Y Y

Accept and supportautomatic notificationswhen user/partnersecurity certificates areabout to expire

Y Y Y Y

Controlling user accessto web servicesthrough the corporateSSO infrastructure

Y Y Y Y


CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

USER PROVISIONING

Provisioning facilities

provided: Provisioning RulesEngine

Y Y Y Y Y

Centrally managed,administrator controlledprovisioning and de-provisioning services

Y Y Y Y Y

Delegated and locallymanaged provisioningservices

Y Y Y Y Y

Permission-based, self-service provisioningfacilities

Y Y Y Y Y

Organization definedprovisioning workflows

Y Y Y Y Y

Provisioning

Services:Setup andmanagement of masterand associateddirectories

Y A Y Y Y

Automated set up ofusers based onpredefined job, role,work group templates

Y A Y Y Y

Role-based useraccess rights

Y Y Y Y Y

Rule-based useraccess rights

Y Y Y Y Y

Unique individualaccess rights

Y Y Y Y Y

Provisioning based onpreviously availableaccess rights

N Y N Y Y

Group anddepartmental userprovisioning

Y A Y Y Y

Third party user accessaccounts

Y A Y Y Y

Resolution of accessrights between peoplewith the same user id

Y A Y Y Y

Automatic links to HRinformation for recordsupdate

Y A Y Y Y

Automated links to thecreation of usermailboxes

Y A Y Y Y

Merger of access rightsfrom different identitymanagement systems(e.g. followingacquisitions)

Y A Y Y A




Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

USER PROVISIONING


provided: Provisioning RulesEngine

Y Y Y A

Centrally managed,administrator controlledprovisioning and de-provisioning services

Y Y Y A

Delegated and locallymanaged provisioningservices

Y Y Y A

Permission-based, self-service provisioningfacilities

Y Y Y A

Organization definedprovisioning workflows

Y Y Y A

Provisioning

Services:Setup andmanagement of masterand associateddirectories

Y Y Y A

Automated set up ofusers based onpredefined job, role,work group templates

Y Y Y A

Role-based useraccess rights

Y Y Y A

Rule-based useraccess rights

Y Y Y A

Unique individualaccess rights

Y Y Y A

Provisioning based onpreviously availableaccess rights

Y Y Y A

Group anddepartmental userprovisioning

Y Y Y A

Third party user accessaccounts

Y Y Y A

Resolution of accessrights between peoplewith the same user id

Y Y Y A

Automatic links to HRinformation for recordsupdate

Y Y Y A

Automated links to thecreation of usermailboxes

Y Y Y A

Merger of access rightsfrom different identitymanagement systems(e.g. followingacquisitions)

Y Y Y A



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

USER PROVISIONING (continued)


provided (continued): Automated workflow forauthorising andprocessing userresource accessrequests

Y A Y Y Y

Incorporate the controlof access to cloudservices into theenterprise provisioningprocess

Y N A Y A

Ensuring that onlyusers registered in theenterprise directory canuse cloud services

Y N N Y Y

De-provisioning

Services:

Managed (policy-based) de-provisioningservices

Y A Y Y Y

Removal of redundantmaster and associateddirectories

Y A N Y Y

Removal of redundantjob/role templates

Y A N Y Y

Removal of redundantdepartmental accessrights

Y A N Y Y

Removal of selectedindividual users and allassociated access links

Y Y Y Y Y

Removal of selectedindividual accountrights from a user

Y A Y Y Y

Control over the de-provisioning of third-party users

Y A Y Y Y

Rules-basedautomated de-provisioning/accountdisablement facilities

Y A Y Y Y

Automated user de-provisioned due toexpired usage periods

Y A Y Y Y

Automated de-provisioning of specificentitlements due toexpired usage periods

Y A Y Y Y

User de-provisionedusing HR leavers list

Y A Y Y Y

De-provisioning ofassociated usermailboxes for leavers

Y A Y Y Y

Automated user de-provisioned as aresponse to suspectactivities

Y A A A Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management



provided (continued): Automated workflow forauthorising andprocessing userresource accessrequests

Y Y Y A

Incorporate the controlof access to cloudservices into theenterprise provisioningprocess

Y Y Y A

Ensuring that onlyusers registered in theenterprise directory canuse cloud services

Y Y Y A

De-provisioning

Services:

Managed (policy-based) de-provisioningservices

Y Y Y A

Removal of redundantmaster and associateddirectories

Y Y Y A

Removal of redundantjob/role templates

Y Y Y A

Removal of redundantdepartmental accessrights

Y Y Y A

Removal of selectedindividual users and allassociated access links

Y Y Y A

Removal of selectedindividual accountrights from a user

Y Y Y A

Control over the de-provisioning of third-party users

Y Y Y A

Rules-basedautomated de-provisioning/accountdisablement facilities

Y Y Y A

Automated user de-provisioned due toexpired usage periods

Y Y Y A

Automated de-provisioning of specificentitlements due toexpired usage periods

Y Y Y A

User de-provisionedusing HR leavers list

Y Y Y A

De-provisioning ofassociated usermailboxes for leavers

Y Y Y A

Automated user de-provisioned as aresponse to suspectactivities

O Y Y A



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products


De-provisioning

Services (continued):

Automated update linksto company archivingfacilities

N A Y Y Y

Automated de-provisioning from SaaS,PaaS, and IaaS services

Y A Y Y A

Incorporate theremoval of access tocloud services into theenterprise de-provisioning process

Y N A Y Y

Reporting and

Alerting Facilities:Reporting (alerts, e-mails, or reports)when new user accessrights are created

Y Y Y Y Y

Reporting when user/account changes occur

Y Y Y Y Y

Reporting when de-provisioning activitytakes place

Y Y Y Y Y

Generation of full audittrail reportingmaintained to supportchange management

Y Y Y Y Y

Provision of customizedreporting facilities

Y Y Y A Y

Provision of: Systems activityreports

Y Y Y Y Y

Dormant accountreports

Y A Y Y Y

Failed access reports Y Y Y Y Y

Policy-based reporting Y A Y Y Y

Policy-basedmanagement reportingfor administrators

Y A Y Y Y

Regular managementreporting

Y A Y Y Y

Policy-basedmanagement alerts

Y A Y Y Y

Workflow Facilities: Is workflow provide asa core component ofthe provisioningsolution

O Y Y Y Y

Can workflow activitybe pre-configured andautomated

Y Y Y Y Y

Does the workflowsystem support real-time owner interactions

Y Y Y Y Y

Can external and third-party workflow beimported

Y A Y Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management


De-provisioning

Services (continued):

Automated update linksto company archivingfacilities

O Y Y A

Automated de-provisioning from SaaS,PaaS, and IaaS services

Y Y Y A

Incorporate theremoval of access tocloud services into theenterprise de-provisioning process

Y Y Y A

Reporting and

Alerting Facilities:Reporting (alerts, e-mails, or reports)when new user accessrights are created

Y Y Y A

Reporting when user/account changes occur

Y Y Y A

Reporting when de-provisioning activitytakes place

Y Y Y A

Generation of full audittrail reportingmaintained to supportchange management

O Y Y A

Provision of customizedreporting facilities

Y Y Y A

Provision of: Systems activityreports

O Y Y Y

Dormant accountreports

O Y Y A

Failed access reports O Y Y Y

Policy-based reporting O Y Y Y

Policy-basedmanagement reportingfor administrators

O Y Y Y

Regular managementreporting

O Y Y Y

Policy-basedmanagement alerts

Y Y Y Y

Workflow Facilities: Is workflow provide asa core component ofthe provisioningsolution

Y Y Y A


Y Y Y A


Y Y Y A

Can external and third-party workflow beimported

Y Y Y A



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

PASSWORD MANAGEMENT

Password

Management:Provision of passwordfrequency changecontrols

Y Y Y Y Y

Provision of passwordstructure controls

Y Y Y Y Y

Automatic generationof system controlledpasswords

Y Y Y Y Y

Provision of frequencychange controls foruser security questions

Y Y Y Y Y

Control over passwordreuse

Y Y Y Y Y

Control over passwordreset policy

Y Y Y Y Y

Provision of passwordencryption facilities

Y Y Y Y Y

Special managementfacilities to control andidentify privileged users

Y N N Y Y

Self-service

Capabilities

Supported:

Generation of new userand associatedpasswords

Y Y Y Y Y

Set up of passwordsfor additional systemsresources

Y Y Y Y Y

The reset of lost andforgotten passwords

Y Y Y Y Y

Generation of rules-based randompasswords

Y Y Y Y Y

Scheduled passwordchanges

Y Y Y Y Y

Unscheduled passwordchanges

Y Y Y Y Y

Test password/confirmation facilityprior to change

Y Y Y Y Y

Modification of usersecurity questions

Y Y Y Y Y

Locking and unlockingof user accounts

Y Y Y Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

PASSWORD MANAGEMENT

Password

Management:Provision of passwordfrequency changecontrols

Y Y Y Y

Provision of passwordstructure controls

Y Y Y Y

Automatic generationof system controlledpasswords

Y Y Y Y

Provision of frequencychange controls foruser security questions

Y Y Y Y

Control over passwordreuse

Y Y Y Y

Control over passwordreset policy

Y Y Y Y

Provision of passwordencryption facilities

Y Y Y Y

Special managementfacilities to control andidentify privileged users

Y N Y N

Self-service

Capabilities

Supported:

Generation of new userand associatedpasswords

Y Y Y Y

Set up of passwordsfor additional systemsresources

Y Y Y Y

The reset of lost andforgotten passwords

Y Y Y Y

Generation of rules-based randompasswords

Y Y Y Y

Scheduled passwordchanges

Y Y Y Y

Unscheduled passwordchanges

Y Y Y Y

Test password/confirmation facilityprior to change

O Y Y Y

Modification of usersecurity questions

Y Y Y Y

Locking and unlockingof user accounts

Y Y Y Y



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

PASSWORD MANAGEMENT (continued)

Security Features: Alerts/confirmationssent when passwordschange

Y Y Y Y Y

Alerts sent whenmaximum failed accessattempts exceeded

Y Y Y Y Y

Alerts sent whenaccess timeoutsexceeded

Y Y N Y Y

Alerts sent to user priorto password expiry

Y Y Y Y Y

Automatic Alerts foradministrators ondormant accounts

Y Y N Y Y

Report informationgenerated whenpassword detailschange

Y Y Y Y Y

Report informationgenerated whenpassword anomaliesoccur

Y Y Y Y Y

Audit trail informationgenerated whenpassword detailschange

Y Y Y Y Y

Full Audit trailinformation generatedon all password actions

Y Y Y Y Y

Automatic lock outwhen access rules arebreached

Y Y Y Y Y

Hardened HSM blackbox protection

Y Y Y A N

Workflow: Can workflow be used toprovide across systemsynchronisation whenpasswords change

Y Y Y Y Y

Is workflow a corecomponent of thepassword managementsolution

Y Y Y Y Y


Y Y Y Y Y


Y Y Y Y Y

Is external and third-party workflowsupported

Y Y Y Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management


Security Features: Alerts/confirmationssent when passwordschange

Y Y Y Y

Alerts sent whenmaximum failed accessattempts exceeded

Y Y Y Y

Alerts sent whenaccess timeoutsexceeded

Y Y Y Y

Alerts sent to user priorto password expiry

Y Y Y Y

Automatic Alerts foradministrators ondormant accounts

Y Y Y Y

Report informationgenerated whenpassword detailschange

Y Y Y Y

Report informationgenerated whenpassword anomaliesoccur

Y Y Y Y

Audit trail informationgenerated whenpassword detailschange

Y Y Y Y

Full Audit trailinformation generatedon all password actions

Y Y Y Y

Automatic lock outwhen access rules arebreached

Y Y Y Y

Hardened HSM blackbox protection

Y N Y Y

Workflow: Can workflow be used toprovide across systemsynchronisation whenpasswords change

Y Y Y A

Is workflow a corecomponent of thepassword managementsolution

Y Y Y A


Y Y Y A


Y Y Y A

Is external and third-party workflowsupported

Y Y Y A


CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products


Workflow

(continued):Can workflow provideacross enterpriseautomated passwordupdate capabilities

Y Y Y Y Y

Can workflow be usedto deliver acrossenterprise systemspass-throughcapabilities

Y Y Y Y Y

ACCESS CONTROL

Do the Range of

Access Control

facilities supported

include:

Server-based accesscontrols

Y Y Y Y Y

Centrally controlledAccess Management –central consolemanagement

Y Y Y Y Y

Policy-driven useraccess controls

Y Y Y Y Y

Blocking of anonymousprivileged user access

Y N N Y Y

Audit and reporting ofprivileged user actions

Y N Y Y Y

Controls to reducespecific administratorrights

Y Y Y Y Y

The ability to enforcesegregation ofadministrator duties

Y Y Y Y Y

Controls to delegatelimited administratorrights down to localadministrators

Y Y Y A Y

Controls to regulatesystems and databasemanager accessprivileges

Y N A Y Y

Identity-based accessto web services

Y Y Y A Y

Legacy applicationaccess

Y Y Y Y Y

Control over webbrowser access

Y Y Y A Y


Y Y Y A Y

Control over portalaccess

Y Y Y A Y

Status controls overend-user devices (AVpatch managementstatus, etc.)

N N N A N




Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management


Workflow

(continued):Can workflow provideacross enterpriseautomated passwordupdate capabilities

Y Y Y A

Can workflow be usedto deliver acrossenterprise systemspass-throughcapabilities

Y Y Y A

ACCESS CONTROL

Do the Range of

Access Control


include:

Server-based accesscontrols

Y Y Y Y

Centrally controlledAccess Management –central consolemanagement

Y Y Y Y

Policy-driven useraccess controls

Y Y Y Y

Blocking of anonymousprivileged user access

O N A Y

Audit and reporting ofprivileged user actions

Y N Y N

Controls to reducespecific administratorrights

Y Y Y Y

The ability to enforcesegregation ofadministrator duties

Y Y Y Y

Controls to delegatelimited administratorrights down to localadministrators

Y Y Y Y

Controls to regulatesystems and databasemanager accessprivileges

Y Y Y N

Identity-based accessto web services

Y Y Y Y

Legacy applicationaccess

Y Y Y Y


Y Y Y Y


Y Y Y Y

Control over portalaccess

Y Y Y Y

Status controls overend-user devices (AVpatch managementstatus, etc.)

Y Y N N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

ACCESS CONTROL (continued)

Do the Range of

Access Control


include (continued):

Fully federated accesscontrol capabilities forexternal users

Y Y Y A Y

Combined physical andlogical access control

N N Y Y Y

Access controls tovirtual machines andstored VM images

Y N N Y Y

Supports IBM RACF(Resource AccessControl Facility)

Y Y Y Y Y

Supports CA-ACF2(eTrust)

Y N N Y Y

Supports CA TopSecret Y N N Y Y

Support for Policy-

based Controls Over

Users and Systems:

Individual accesscontrols at systemlogin

Y Y Y Y Y

Regulated accesscontrols for systemsresources – systems,processes, andprograms

Y Y Y Y Y

Time-based accesscontrols

Y Y Y Y Y

User location basedaccess controls

Y Y Y Y Y

Control over localpolicies for accesscontrol lists

Y Y Y A Y

Control over localpolicies for useraccounts

Y Y Y A Y

Control over systemspolicies

Y Y Y A Y

Control over webserver policy

N Y Y A Y

Control overapplication policy

Y Y Y A Y

Support for ahierarchical approachto the distribution ofpolicy updates

Y Y Y A Y

Support for theautomated distributionof new and updatedaccess control policies

Y Y Y A Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

ACCESS CONTROL (continued)

Do the Range of

Access Control


include (continued):

Fully federated accesscontrol capabilities forexternal users

Y Y Y Y

Combined physical andlogical access control

A Y Y N

Access controls tovirtual machines andstored VM images

Y Y N N

Supports IBM RACF(Resource AccessControl Facility)

A Y 0 A

Supports CA-ACF2(eTrust)

A Y 0 N

Supports CA TopSecret A Y 0 N

Support for Policy-

based Controls Over

Users and Systems:

Individual accesscontrols at systemlogin

Y Y Y N

Regulated accesscontrols for systemsresources – systems,processes, andprograms

Y Y Y N

Time-based accesscontrols

Y Y Y Y

User location basedaccess controls

Y Y Y Y

Control over localpolicies for accesscontrol lists

Y Y Y N

Control over localpolicies for useraccounts

Y Y Y N

Control over systemspolicies

Y Y Y N

Control over webserver policy

Y Y Y Y

Control overapplication policy

Y Y Y Y

Support for ahierarchical approachto the distribution ofpolicy updates

Y Y Y Y

Support for theautomated distributionof new and updatedaccess control policies

Y Y Y Y



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

FEDERATED IDENTITY MANAGEMENT

Federated services

include:

The facilities to supportfederated networkidentity

Y Y Y A Y

The provision of openSSO facilities thatsupport decentralisedauthentication

Y Y Y A Y

The provision of openSSO facilities thatsupport authorisationsfrom multiple providers

Y Y N A Y

The provision of SSOsupport for members ofa federated Identitymanagement group

Y Y Y A Y

The provision of SSOsupport for members ofa federated circle oftrust

Y Y Y A Y

Support for direct usercontact with a third-party services providerthat can then bepassed through toother third-parties

Y N Y A Y

The provision ofsupport for local policycontrols as users moveacross third-party webfacilities

Y N Y A Y

Service providerinteraction/notificationwhen federatedrelationships change

Y Y A A Y

The provision ofnotifications to otherthird-parties when useraccounts areterminated by theidentity provider

Y Y A A Y

The provision of up-to-date lists of authorisedusers to other third-parties in a federatedrelationship

Y Y A A Y

The provision of fullyanonymous ortemporary anonymousidentities

Y Y A A Y

Support for opennavigation betweenidentity providers (click-through, favourites,bookmarks, URLaddress bars, etc.)

Y Y Y A Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

FEDERATED IDENTITY MANAGEMENT

Federated services

include:

The facilities to supportfederated networkidentity

Y Y Y Y

The provision of openSSO facilities thatsupport decentralisedauthentication

Y Y Y Y

The provision of openSSO facilities thatsupport authorisationsfrom multiple providers

Y Y Y Y

The provision of SSOsupport for members ofa federated Identitymanagement group

Y Y Y Y

The provision of SSOsupport for members ofa federated circle oftrust

N Y Y Y

Support for direct usercontact with a third-party services providerthat can then bepassed through toother third-parties

Y Y Y Y

The provision ofsupport for local policycontrols as users moveacross third-party webfacilities

Y Y Y Y

Service providerinteraction/notificationwhen federatedrelationships change

Y Y Y Y

The provision ofnotifications to otherthird-parties when useraccounts areterminated by theidentity provider

Y Y Y Y

The provision of up-to-date lists of authorisedusers to other third-parties in a federatedrelationship

Y N Y Y

The provision of fullyanonymous ortemporary anonymousidentities

N Y Y Y

Support for opennavigation betweenidentity providers (click-through, favourites,bookmarks, URLaddress bars, etc.)

Y Y Y Y



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

FEDERATED IDENTITY MANAGEMENT (continued)

Federated services

include (continued):Guarantee theconfidentiality ofinformation exchangedbetween identityproviders

Y Y Y A Y

Facilitating the mutualauthentication ofidentities betweenservice providersduring SSO andauthenticationprocesses

Y Y Y A Y

Support for setminimumauthenticationstandards betweenparties

Y N Y A Y

Support for re-authentication whereinter-party rules dictatethat the requestedaction class requires it

Y N Y A Y

Enable the serviceprovider to allow userauthentication to comefrom a third-partyidentification provider

Y Y Y A Y

Support the use of asingle logout protocolto close all sessionsthat are in use by aparticular user

Y Y A A Y

Invoking support fordifferent levels ofauthenticationdependent on actionsrequested

Y Y Y A Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

FEDERATED IDENTITY MANAGEMENT (continued)

Federated services

include (continued):Guarantee theconfidentiality ofinformation exchangedbetween identityproviders

Y Y Y Y

Facilitating the mutualauthentication ofidentities betweenservice providersduring SSO andauthenticationprocesses

Y Y Y Y

Support for setminimumauthenticationstandards betweenparties

Y Y Y Y

Support for re-authentication whereinter-party rules dictatethat the requestedaction class requires it

Y Y Y Y

Enable the serviceprovider to allow userauthentication to comefrom a third-partyidentification provider

Y Y Y Y

Support the use of asingle logout protocolto close all sessionsthat are in use by aparticular user

Y Y Y Y

Invoking support fordifferent levels ofauthenticationdependent on actionsrequested

Y Y Y Y



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

ADMINISTRATION AND POLICY MANAGEMENT

Central and Locally

Delegated

Administration

Controls:

Centrally controlledadministrationmanagement

Y Y Y Y Y

Delegated, locallycontrolledadministration services

Y Y Y Y Y

Centrally controlled –master directoryservices

Y Y A Y Y

Delegated, locallycontrolled – distributeddirectory services

Y N A Y Y

Central securityrepository

Y Y Y Y Y

Administrator controlover end-user machinestatus and locationrules

Y N Y Y Y

Token Management: Control the addition ofnew token types

Y Y Y Y Y

Control the revocationof tokens

Y Y Y Y Y

Authorise the issueand reuse of tokens

Y Y Y Y Y

Audit Trail and

Reporting Facilities:Provide user-level auditand reporting

Y Y Y Y Y

Provide entitlementlevel audit andreporting

Y Y Y Y Y

Provide administratorlevel audit andreporting

Y Y Y Y Y

Provide managementlevel audit andreporting

Y Y Y Y Y

Provide administratorlevel alerting services

Y Y A Y Y

Provide administratorlevel reporting on third-party and partneractivity

Y N A Y Y

Ability to configurereporting to fulfilspecific businessneeds

Y Y Y Y Y

Report on privilegeduser access and usage

Y N A Y Y

Record the use of allcloud services incorporate activity logs

Y N A Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

ADMINISTRATION AND POLICY MANAGEMENT

Central and Locally

Delegated

Administration

Controls:

Centrally controlledadministrationmanagement

Y Y Y Y

Delegated, locallycontrolledadministration services

Y Y Y Y

Centrally controlled –master directoryservices

Y Y Y Y

Delegated, locallycontrolled – distributeddirectory services

Y Y Y Y

Central securityrepository

Y Y Y Y

Administrator controlover end-user machinestatus and locationrules

Y Y Y Y

Token Management: Control the addition ofnew token types

Y Y Y Y

Control the revocationof tokens

Y Y Y Y

Authorise the issueand reuse of tokens

Y Y Y Y

Audit Trail and

Reporting Facilities:Provide user-level auditand reporting

Y Y Y Y

Provide entitlementlevel audit andreporting

Y Y Y Y

Provide administratorlevel audit andreporting

Y Y Y Y

Provide managementlevel audit andreporting

Y Y Y Y

Provide administratorlevel alerting services

Y Y Y Y

Provide administratorlevel reporting on third-party and partneractivity

A Y Y Y

Ability to configurereporting to fulfilspecific businessneeds

A Y N Y

Report on privilegeduser access and usage

Y N Y N

Record the use of allcloud services incorporate activity logs

N Y N Y



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

INFRASTRUCTURE SUPPORTED

Key LDAP directories

supported:IBM Y N Y Y Y

Microsoft ActiveDirectory

Y Y Y Y Y

Open LDAP Y N Y Y Y

Novell eDirectory Y Y Y Y Y

Oracle Y Y Y Y Y

Sun Y Y Y Y Y

Other important LDAPdirectories supported

Y Y Y N Y

Secure Storage Hardware SecureModule (HSM)

N A Y N Y

Database Platforms

supported:IBM DB2 Y N Y Y Y

NCR Teradata Y N N Y N

OpenLink Virtuoso N N N N N

Oracle Y Y Y Y Y

Microsoft SQL Server Y Y Y Y Y

Sybase Y N Y Y N

Other importantdatabase platformssupported

Y N Y Y Y

Operating Systems

supported:IBM AIX Y Y Y Y Y

IBM z/OS Y N N Y Y

Sun Solaris Y Y Y Y Y

HP-UX Y Y Y Y Y

HP OpenVMS Y N N Y N

HP Tru64 Y N N Y Y

SuSE Linux Y Y Y Y Y

Red Hat Linux Y Y Y Y Y

Novell Netware andOpen EnterpriseServer

N N Y Y N

Windows Y Y Y Y Y

Other importantoperating systemssupported

N N N Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

INFRASTRUCTURE SUPPORTED

Key LDAP directories

supported:IBM Y Y Y Y

Microsoft ActiveDirectory

Y Y Y Y

Open LDAP O Y Y N

Novell eDirectory Y Y Y Y

Oracle Y Y Y Y

Sun Y Y Y Y

Other important LDAPdirectories supported

Y N Y N

Secure Storage Hardware SecureModule (HSM)

Y Y Y Y

Database Platforms

supported:IBM DB2 Y Y Y N

NCR Teradata N Y Y N

OpenLink Virtuoso N Y Y N

Oracle Y Y Y Y

Microsoft SQL Server Y Y Y Y

Sybase O N Y Y

Other importantdatabase platformssupported

N N Y N

Operating Systems

supported:IBM AIX N Y Y Y

IBM z/OS N Y N Y

Sun Solaris N Y Y Y

HP-UX N Y Y Y

HP OpenVMS N Y N Y

HP Tru64 N Y Y N

SuSE Linux N Y Y Y

Red Hat Linux N Y Y Y

Novell Netware andOpen EnterpriseServer

N Y N N

Windows Y Y Y Y

Other importantoperating systemssupported

N N Y N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

INFRASTRUCTURE SUPPORTED (continued)

Fully Integrated

Application Platform

support for:

Oracle Y N Y Y Y

SAP Y N Y Y Y

Siebel Y N N Y Y

Peoplesoft Y N N Y Y

BEA Y Y N Y Y

Lawson Y N N Y Y

Microsoft Y N Y N Y

QAD N N N N N

Other importantapplication platformsfully supported

Y Y N Y Y

SaaS servicessupported

Y N N Y N

Web Servers

supported:Microsoft llS Y Y Y Y Y

Sun One Web Server Y Y N Y Y

Lotus Domino Y Y N Y Y

IBM HTTP Server Y Y N Y Y

Oracle HTTP Server Y Y N Y Y

Domino Go Y N Y Y Y

Red Hat Apache Y Y Y Y Y

ASF Apache Y N Y Y Y

Other important webservers supported

N N N N N

Helpdesk Systems

supported:

BMC Remedy Servicemanagement

Y N N Y Y

Peregrine (HP) Y N N Y N

Epicor ITSM Y N N N N

FrontRange ITSM Y N N Y N

HP Open View ServiceDesk

Y N N Y N

CA Unicenter ServiceDesk

Y N N Y N

IBM Tivoli ServiceRequest Manager

Y N N Y Y

Other helpdesksystems supported

N N N Y N



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management


Fully Integrated

Application Platform

support for:

Oracle Y Y Y Y

SAP Y Y Y Y

Siebel O Y Y Y

Peoplesoft O Y Y Y

BEA O Y Y Y

Lawson O Y Y Y

Microsoft Y Y Y Y

QAD O Y N Y

Other importantapplication platformsfully supported

N N Y Y

SaaS servicessupported

N N Y Y

Web Servers

supported:Microsoft llS Y Y Y Y

Sun One Web Server O Y Y Y

Lotus Domino Y Y Y Y

IBM HTTP Server O Y Y Y

Oracle HTTP Server N Y Y Y

Domino Go N Y Y Y

Red Hat Apache O Y Y Y

ASF Apache A N Y N

Other important webservers supported

N N N N

Helpdesk Systems

supported:

BMC Remedy Servicemanagement

O Y Y N

Peregrine (HP) N Y A N

Epicor ITSM N Y A N

FrontRange ITSM N Y A N

HP Open View ServiceDesk

N Y A N

CA Unicenter ServiceDesk

N Y A N

IBM Tivoli ServiceRequest Manager

N N A N

Other helpdesksystems supported

N N N N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products


Architectures

supported:ODBC Y Y Y Y Y

UDI Y N N N N

JDBC Y Y Y N Y

ADL N N N N N

XAM N N N N N

AJAX Y N Y Y Y

ECMA N N N Y Y

Other importantarchitectures supported

Y N N Y N

Web Access Control

Facilities Supported:

IBM – Tivoli AccessManager

N N N Y Y

CA – Siteminder Y N N Y Y

Sun – Java SystemAccess Manager

N N N Y Y

RSA – ClearTrust N N N Y Y

BMC Web AccessManager

N N N N Y

Evidian AccessManager

N N Y N Y

Oracle AccessManager

N N N Y Y

HTTP protocol controls Y N Y Y Y

Use of proxy-basedweb agents

Y N Y Y Y

Other important webaccess control facilitiessupported

Y N N Y N



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management


Architectures

supported:ODBC Y Y Y Y

UDI N Y N Y

JDBC N Y Y Y

ADL N Y N N

XAM N Y N N

AJAX Y Y Y Y

ECMA N Y N N

Other importantarchitectures supported

N N Y N

Web Access Control

Facilities Supported:

IBM – Tivoli AccessManager

Y Y Y N

CA – Siteminder Y Y Y N

Sun – Java SystemAccess Manager

Y Y Y N

RSA – ClearTrust Y Y Y Y

BMC Web AccessManager

Y Y Y N

Evidian AccessManager

Y N Y N

Oracle AccessManager

Y N Y N

HTTP protocol controls Y N Y Y

Use of proxy-basedweb agents

Y N Y Y

Other important webaccess control facilitiessupported

N N Y N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

STANDARDS AND AUTHORITIES

Standards and

Authorities

Supported by the

Solution Include:

Kantara – IdentityAssurance Framework

Y Y Y N Y

SAFE (Identity Validationand InteroperabilityFederation)

Y Y N Y Y

ITIL (InformationTechnologyInfrastructure Library)

Y N Y Y Y

ITSM (IT ServiceManagement)

Y N Y Y Y

ITSEC (InformationTechnology SecurityEvaluation Certification)

Y Y Y N Y

Protocols Supported: SAML (SecurityAssertion MarkupLanguage)

Y Y Y Y Y

Microsoft InformationCard

Y Y N Y Y

WS Federation Y N Y Y Y

WS-Security Y N Y Y Y

RADIUS (RemoteAuthentication Dial-InUser Service)

Y N Y Y Y

SASL (SimpleAuthentication andSecurity Layer protocol)

N N Y N Y

XACML – eXtensibleAccess Control MarkupLanguage

N Y Y N Y

JAAS – JavaAuthentication andAuthorisation Services

Y N Y N Y

ID-FF – IdentityFederation Framework

Y N Y N Y

ID-WSF – Identity Webservices Framework

N N Y N Y

ID-SIS – Identity ServiceInterface Specification

N N Y N N

Kerberos (secureauthenticationmethodology)

Y Y Y Y Y

FTP A N N Y Y

HTTP Y Y Y Y Y

SMTP Y N N Y Y

WebDav Y N N N Y

SOAP Y Y Y Y Y

Other importantcommunicationprotocols supported

Y N N Y Y



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

STANDARDS AND AUTHORITIES

Standards and

Authorities

Supported by the

Solution Include:

Kantara – IdentityAssurance Framework

N Y Y Y

SAFE (Identity Validationand InteroperabilityFederation)

N Y N Y

ITIL (InformationTechnologyInfrastructure Library)

Y Y Y N

ITSM (IT ServiceManagement)

Y Y N N

ITSEC (InformationTechnology SecurityEvaluation Certification)

Y Y N Y

Protocols Supported: SAML (SecurityAssertion MarkupLanguage)

Y Y Y Y

Microsoft InformationCard

Y Y Y Y

WS Federation Y Y Y Y

WS-Security Y Y Y Y

RADIUS (RemoteAuthentication Dial-InUser Service)

Y Y Y Y

SASL (SimpleAuthentication andSecurity Layer protocol)

Y Y Y Y

XACML – eXtensibleAccess Control MarkupLanguage

N N Y Y

JAAS – JavaAuthentication andAuthorisation Services

N Y Y Y

ID-FF – IdentityFederation Framework

N Y Y Y

ID-WSF – Identity Webservices Framework

N Y Y Y

ID-SIS – Identity ServiceInterface Specification

N Y Y Y

Kerberos (secureauthenticationmethodology)

Y Y Y Y

FTP Y Y Y N

HTTP Y Y Y Y

SMTP Y Y Y Y

WebDav Y Y Y N

SOAP Y Y Y Y

Other importantcommunicationprotocols supported

N N N N



CA – CA

Identity and

Access

Management

Suite

Entrust –

Entrust

IdentityGuard,

GetAccess, &

Transaction

Guard

Evidian

–

Evidian

IAM

Suite

(version

8)

Hitachi

–

Hitachi-

ID

Portfolio

IBM – IBM

Tivoli

Identity and

Access

Management

Products

STANDARDS AND AUTHORITIES (continued)

Smart Card

Standards supported:ISO7816 N N Y Y A

ISO 14443 N N Y N A

ISO 15693 N N Y N A

PC/SC N Y Y Y A

FIPS-201 Y Y Y Y A

HSPD-12 Y Y Y Y A

Biometric Standards

supported:BioAPI N N Y A Y

BAPI N N Y A N

X9.84 N N Y A N

CDSA/HRS N N Y A N

ANSI/NIST ITL 2000 N N Y A N



Microsoft –

Microsoft

Forefront

Identity

Manager 2010

and

Associated

Products

Novell –

Novell

Identity

Manager 4

Advanced

Edition

Oracle –

Oracle

Identity and

Access

Management

Suite –

Release 11g

RSA (The

Security

Division of

EMC) – RSA

Identity &

Access

Management

STANDARDS AND AUTHORITIES (continued)

Smart Card

Standards supported:ISO7816 N Y A Y

ISO 14443 N N A N

ISO 15693 N N A N

PC/SC Y Y A Y

FIPS-201 N Y Y Y

HSPD-12 N Y Y Y

Biometric Standards

supported:BioAPI N Y Y N

BAPI N N A N

X9.84 N Y A N

CDSA/HRS N N A N

ANSI/NIST ITL 2000 N N Y N

6.3 IAM Decision Matrix

The IAM Decision Matrix is a visual summary of the leading vendors and products in the IAM marketand of their capabilities, based on a quantitative assessment of their market impact and end-usersentiment, as well as their functional reach and technical capabilities. Additionally, the IAM DecisionMatrix guides organizations looking to deploy IAM technologies to the vendors and solutions that theyshould immediately shortlist, consider, or explore.

The following definitions are used for each of these recommendations:

� Shortlist – These vendors’ IAM products should be part of most organizations’ shortlists for IAMtechnology selection. This category includes the leading solutions, signifying that the vendor hasestablished a commanding market position with a product that is widely accepted as best of breed.

� Consider – The vendors in this category have strong market positions and are selling and marketingtheir IAM solutions well. Their products offer competitive functionality and good price andperformance, and should be considered as part of the technology selection process of mostorganizations.

� Explore – Solutions in this category have narrower applicability, and may have limitations in functionor in the vendor’s ability to execute. However, they may still be the best choice to meet specificrequirements and thus worth exploring as an organization develops its options.


2

6.5

IBM

Novell

Oracle

Explore

Consider

Insufficient enduser feedback

Shortlist

Impact = 0 Impact = 10

Bubble sizerepresents

market impact

RSA

Hitachi

Microsoft

Evidian

7.0 7.5

Technology assessment (Scale 1-10)

Sen

tim

en

t(s

cale

1-1

0)

8.0 8.5 9.0 9.5

3

4

5

6

7

8

9

CA

EntrustInsufficient end user feedback

Figure 6.3.1: Identity and Access

Management Decision Matrix Source: Ovum

A successful IAM deployment is one that fully supports the organization’s overall identity management,information access, business continuity, and regulatory compliance strategies. Therefore, a decision topurchase one solution over another should be based on a broad array of factors including, but notlimited to, the degree of alignment between the solution’s features and functionality and theorganization’s specific objectives. As a result, organizations should consider Ovum’s recommendationsof shortlist, consider, and explore in the context of their specific business and solution requirements.Within each category the vendor recommendations are listed in alphabetical order.

The leaders: CA, IBM, Novell, and Oracle

The four IAM majors have the highest scores in the technology dimension and have well-established,mature products. They have the technology breadth and depth and services capabilities to be relevantto the most complex IAM requirements at the largest enterprises. IBM has the highest customersentiment scores among the four vendors in the Shortlist category. In spite of its scale and thetransformational nature of the projects IBM handles, the company has an impressive execution record.Through its Tivoli division IBM has a long presence in the identity-management sector, and has equallywell-established credentials in systems management.

From a technology and long-term usage standpoint CA is among the largest vendors in the IAM space,it has one of the most comprehensive product portfolios, and has significant market presence acrossall major industry sectors. Novell’s IAM approach retains a strong focus towards regulatory compliance.Its product portfolio is relevant to all geographies, industry sectors, and enterprises of varying sizes. Thetraditional heavy users of IAM, namely financial services, the public sector, healthcare, andtelecommunications, predictably form an important part of Novell’s installed base. Following the Sunacquisition Oracle has brought together two IAM platforms that were both strong contenders in theirown right. It has done a good job of managing customer expectations after what was arguably thelargest IAM acquisition in the market to date. Oracle maintains a comprehensive IAM technology stackthat merits closer evaluation in most IAM selection processes.

All four vendors have a full suite of products and are successfully branching out into areas that areadjacent to IAM and that Ovum believes will be increasingly relevant to IAM projects.


Figure 6.3.2: Identity and Access Management

Decision Matrix (in alphabetical order) Source: Ovum

Shortlist Consider Explore

CA Evidian Entrust

IBM Hitachi RSA

Novell Microsoft

Oracle

Oracle and Sun Microsystems were both in the ‘Consider’ category in the 2008 edition of the IAMDecision Matrix report. Collectively, the two vendors are now a formidable force and Oracle has movedto the shortlist category. Oracle certainly has scale and broad-based recognition as an IAM vendor, andthe company has done a good job managing the inevitable concerns around its technology roadmapfollowing the Sun Microsystems acquisition. Specific guidelines around which product sets would bestrategic have been released, and existing users have been assured support for product lines that willnot be part of the strategic roadmap. To summarize, enterprises will not be forced to make difficultdecisions relating to the Oracle portfolio over the next few years.

Predictably, Oracle’s competitors launched a number of programs to benefit from the transition (such asNovell announcing license-swap offers for Sun Microsystems’ IAM solutions). However, our research doesnot indicate that their efforts have changed the market structure in any significant way. Oracle certainly hasone of the fullest IAM stacks now, and customers do not seem to have major concerns around the vendor’sability to manage the transition and the complex, overlapping set of offerings.

The challengers: Evidian, Hitachi, and Microsoft

These vendors are rated in the ‘consider’ category mainly because, although their IAM solutions are strong,they don’t always match the depth, breadth, or resources provided by the ‘shortlist’ group.

Hitachi and Evidian are smaller vendors with impressive IAM suites. Hitachi-ID is a new entrant in the IAMDecision Matrix, and the Canada-based IAM subsidiary of the Asia-Pacific giant has impressed with strongcustomer sentiment scores. Hitachi-ID’s technology scores are also impressive. There is little to doubtHitachi’s strengths in most aspects of the IAM stack, however it does not play in the web SSO and accesscontrol parts of the IAM market.

Evidian’s technology scores are impressive as well, and not very far off from Microsoft’s. Evidian has movedup from an ‘Explore’ rating in the 2008 edition of the IAM Decision Matrix to the ‘Consider’ rating, largely onaccount of its technology scores. Evidian brings two key strengths to the table: a strong presence in Europe(particularly in France and Germany) and a strong focus on the healthcare industry, a sector that has distinctand often unmet IAM requirements.

Microsoft’s IAM offering can now be considered to be comprehensive, it notches up strong technology scoresthat are close to the lower end of the ‘Shortlist’ category. The vendor’s new Forefront Identity Manageroffering incorporates many well-proven tenets of IAM technology (such as business user-driven attestationsand access-request approvals). The new release, together with the vendor’s renowned ability to build andsustain partnerships, has led to an offering that is very competitive. Across all industries Microsoft is the mostrecognized IAM vendor and is now a strong contender for a diverse range of IAM requirements.

The Prospects: Entrust and RSA

Entrust and RSA make up what Ovum calls the ‘explore’ category because their IAM offerings, although notas deep or broad as others, have particular strong characteristics or functionality that will be a good fit fororganizations with specific needs or preferences.

Entrust, with its IdentityGuard, GetAccess, and TransactionGuard products, provides a good range ofidentity management, risk-based authentication, access control, and real-time fraud detection facilities.Their strength comes from an ability to build and deliver an integrated set of identity-driven protectionsolutions that are relevant to the everyday business and operational needs of a wide-ranging group ofusers. The company makes available a flexible range of single- and multi-factor authentication facilitieswhich allow organizations to put in place appropriate authentication facilities that balance operationaldemands against business risk and regulatory compliance. Entrust enables organizations to build anintegrated identity-based approach to the management and control of user access.

RSA is the authentication market leader. It provides enterprise-class identity assurance products that addressrisk and compliance issues that arise in highly regulated sectors such as finance, healthcare, telecoms, andgovernment. The company’s broad range of authentication services addresses all levels of secure access,based on risk. Its range of authentication methods covers appliance, software, hosted (software-as-a-service,SaaS), and on-premise operations. RSA provides an extensive range of IAM-based identity assuranceproducts and services which can be deployed to protect the operational systems and intellectual property ofpublic and private sector organizations. Its products are designed to minimize the risks associated withinappropriate and unauthorized systems and account usage, and its protection services have been extendedto address fraudulent activity, accidental data leakage, and information and event monitoring.


6.4 Vendor Analysis

CA: Identity and Access Management Radars


CA is among the largest vendors in the IAM space, and its IAM portfolio is among the most comprehensive.As such, its scores in the Market Impact and Technology dimensions reflect the vendor’s strengths. CAscores well on most Technology attributes and has the highest-possible score, or close to the highest-possible score, on Password Management, Enterprise and Web SSO, User Provisioning, Access Control,and Federated Identity Management. The only Technology dimension in which CA’s score is less thanimpressive is support for standards and authorities. In the Market Impact dimension, CA is among the top-four vendors. However, for a vendor with an impressive market presence, CA does not score well onCustomer Sentiment, achieving less than average in most of our Customer Sentiment dimensions.

CA’s IAM portfolio comprises CA Siteminder, Federation Manager, SOA Security Manager, Access Control,Role and Compliance Manager, Identity Manager, and Enterprise Log Manager, and the IAM portfolio iscurrently in the r12 version. CA’s current IAM positioning focuses on “content-aware identity” with IAM andDLP integration, IAM for virtualized environments, and cloud-delivered services (both IaaS and SaaS) alsoincorporated into the IAM technology’s scope. GRC is another important aspect of CA’s IAM strategy. CAhas made a number of acquisitions in the IAM space in the last two to three years, and the acquisitionsreflect the vendor’s focus. In January 2009 the company acquired Orchestria, a DLP provider. In August2010 it bought Arcot Technologies, a strong authentication and fraud prevention solution provider throughboth on-premise installations and cloud-based infrastructure. This particular acquisition possibly alsosignals CA expansion beyond the enterprise market and into the consumer-facing advanced authenticationmarket, a space where RSA is a formidable force.

User sentiment radar

CA Maximum category score Average across vendors

Technology radar

Product quality

Authentication technology

Portfolio depth

Infrastructure supported

Customersupport

Enterprise and web single sign-onScalability

User provisioningSolution breadth and depth

Password managementSolution maturity

Access controlAdministration and policy management

Federated identity managementStandards and authorities

Clientengagement

Servicecapabilities

Financialstability

Verticalspecialization

Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10

RevenueRegional presence

Revenue growthSize-band presence

Impact radarRecognition

Vertical presence

Figure 6.4.1: CA Identity and

Access Management Radars Source: Ovum

In mid-2010 CA made a major cloud-related announcement, that scope of its cloud offerings includeprovisioning and access management of Salesforce and Google Apps, enabling cloud providers tosecure their services and infrastructure. DLP and IAM integration are in their early stages, but Ovumbelieves that CA is on the right path and agrees with its strategy of unifying these two hitherto (mostly)disparate IAM streams.

Compliance is another focus area for CA. The company’s portfolio includes SIEM solutions integratedwith IAM solutions, and over the years CA has become an important IT GRC player as well. Overall, CAis an acquisitive company and can be expected to be at the frontier of emerging requirements andtrends in the IAM market through both organic growth and acquisitions. The company has also been aleader in all core areas of the IAM spectrum for a long time, and has filled critical gaps with acquisitionswhenever necessary. An example would be the 2008 acquisition of role management vendor Eurekify.In the same year CA acquired IDFocus, a provider of SoD capabilities.

CA has significant presence across all major industry sectors, and its distribution across geographiesis reflective of the wider market, with North America its primary source of IAM revenues. Its IAM suitehas a distinct large-enterprise focus, with financial services among its most important sectors.

Recommendation: Shortlist

CA earns a “shortlist” rating primarily due to its high score in the Technology dimension. On a numberof technology fronts, particularly enterprise and web SSO (through the Siteminder product) CA definesthe best in class in the category. The vendor’s list of systems integrator partners is impressive, and thenature of CA’s IAM portfolio evolution is in alignment with what Ovum believes is the way forward forenterprises that have already made substantial investments in IAM. To summarize, CA is relevant toIAM requirements of all flavors, from core-user provisioning rationalization to an enhanced state ofcompliance, from employee-oriented requirements to large-scale consumer-facing requirements.

Entrust: Identity and Access Management Radars


Entrust Maximum category score Average across vendors

Technology radarAuthentication technology


Enterprise and websingle sign-on

Scalability

User provisioningSolution breadthand depth

Passwordmanagement

Solution maturity

Access controlAdministration andpolicy management


8

10

6

4

2

0 0

2

4

6

8

10




Vertical presence

Figure 6.4.2: Entrust Identity and


Entrust provides three IAM solutions: IdentityGuard, GetAccess, and TransactionGuard. A strongcontender in the authentication and fraud management space, Entrust notches up impressive scoresacross the Authentication and Password Management dimensions, and reasonably good scores acrossthe Access Control and Federated Identity Management dimensions. Entrust is relatively smallcompared with the IAM suite heavyweights, but still large in comparison with the IAM vendors on ourlists that have a primarily regional presence, and Entrust’s Market Impact scores (including theRecognition scores) reflect that relative position. However, the company expects to notch impressivegrowth in the near term. The SME market (under 1,000 employees) represents a larger percentage ofrevenues than average. Financial services and the public sector are the most important sectors by asignificant margin.

For this Decision Matrix, Entrust was not rated by enough customers for Ovum to aggregate and presentstatistically significant Customer Sentiment scores. However, Ovum’s ongoing research does indicate(and as has been reported before) that Entrust’s high-quality customer support and partner services areimportant differentiators for the vendor. Entrust enjoys a renewal rate of 90%, which in Ovum’s opinion istruly impressive in a sector that has seen more than a few projects run over budget and more than a fewdisillusioned customers.

Entrust’s strengths are its strong authentication, adaptive or risk-based authentication, and fraudmanagement capabilities, and its solution has proven scalability in consumer-facing environments.Regulatory controls essential for its target industries (primarily government, financial services, healthcare,and telecommunications) are another of Entrust’s strengths. Entrust plays in three different IAM scenarios:addressing external consumer-facing IAM challenges for banks and the technologies relevant to thismarket, including its fraud management solution, TransactionGuard; addressing citizen identitymanagement issues for government agencies; and addressing standard employee-centric IAMchallenges, primarily for large enterprises. Across each of these three scenarios, strong authentication andadaptive authentication are on the list of Entrust’s key strengths. Entrust is planning for higher-than-average industry growth figures. Its long-term growth prospects are particularly bright, given the increasein e-governance projects and citizen services everywhere, particularly in the Asia-Pacific market.

On the strong authentication front, Entrust covers the whole gamut, from grid and machine (authenticationof a preregistered machine) to out-of-band authentication and one-time-passwords routed to mobiledevices. Out-of-band authentication technology is a priority area for Entrust and an important part of thevendor’s roadmap. In Ovum’s opinion, the range and control over transaction information that can be partof an Entrust-enabled out-of-band authentication event sets the vendor apart. This point also serves as atestament to Entrust’s strength in its chosen niche (as does the vendor’s score in the “Authentication”Technology dimension). Its three products, IdentityGuard, GetAccess, and TransactionGuard, work inconjunction to ensure that access to enterprise resources is controlled by a comprehensive understandingof the user and the mode of authentication is appropriate for the risk level identified. IdentityGuard is therisk-based authentication platform, and an important part of Entrust’s positioning (natural, given thevendor’s target market) is the IdentityGuard solution’s ability to scale. GetAccess is the web access controland web SSO solution. TransactionGuard is the realtime fraud detection solution (and naturally a lot morerelevant in the financial services scenario) and comprises Real Time Fraud Detection, FraudMart, and theOpen Fraud Intelligence Network.

For standard employee-oriented IAM challenges, Entrust conforms to all the prevailing notions of IAMtechnology, including role-based access control, support for federation standards, workflows, and self-service. And, of course, for the non-financial services and non-public sector entities, the case for Entrustbecomes particularly strong when there is a consumer-facing scenario.

Entrust’s positioning is focused on its adaptive authentication strengths with the implications of itstechnology regarding cost-effectiveness. The overall positioning theme is in line with the standard currentIAM themes, quick ROI from enhanced self-service, and the resultant reduction in helpdesk costs.

Entrust was acquired by the private equity firm Thoma Bravo in July 2009. In the last two years ThomaBravo has acquired security and IT infrastructure management provider LANDesk and IT securitysolutions provider SonicWall. However, Thoma Bravo’s portfolio of investments in the enterprise IT sectorencompasses vendors from very different areas. The private equity firm counts a supply chainmanagement application provider (Manugistics) and a customer relationship management applicationprovider (Consona Corporation) among its software investments. Therefore, it seems unlikely that theacquisition will affect Entrust’s customers in the foreseeable future.

Recommendation: Explore

A moderate Technology score earns Entrust an “Explore” rating. Entrust is a strong contender in anumber of large, growing, and tough IAM niches. Its less-than-average score across important piecesof the IAM portfolio (including E-SSO, Web SSO, User Provisioning, Access Control, and FederatedIdentity Management) has led us to assign this rating. However, IAM scenarios that involve customer-facing applications and require strong authentication certainly call for a closer evaluation of Entrust’sofferings.


Evidian: Identity and Access Management Radars



Evidian Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.3: Evidian Identity and


Although Evidian has a nearly full suite of IAM products, the vendor’s influence remains largelyrestricted to its geographic niche, Europe. With an aggregate Technology score that is close to Microsoftand right after the “Big Four” IAM suite providers, there can be little doubt that Evidian’s suite iscomprehensive. Evidian scores higher than average in a number of Technology dimensions, includingEnterprise and Web SSO, User Provisioning, Access Control, and support for standards and authorities.The suite is found wanting across the Federated Identity Management and Infrastructure Supporteddimensions, particularly the latter. Evidian is a relatively small vendor, and client organizations outsideits geographic niche are much less likely to recognize it as a provider of IAM solutions. The vendorexpects higher-than-industry average growth, but its size limits its Market Impact score. In the CustomerSentiment dimension, Evidian scores higher than average across the Client Engagement, VerticalSpecialization, and Customer Support dimensions. However, given its considerable focus on thehealthcare sector – healthcare is as important as financial services and rare among the vendors profiledin this report – Ovum would have expected the vendor to register a higher score on customer’sperception of its “Vertical Specialization.” The EMEA region accounts for the bulk of Evidian’s businesswith the North American market registering a marginally higher contribution than the Asia-Pacific region.This is an unusual geographic distribution for a leading IAM vendor. Another fact that points towardsEvidian’s status as a leading European IAM technology provider is the vendor’s partnership withMicrosoft, primarily in the European region (and for Evidian’s E-SSO product). Evidian partners withQuest in North America and NEC in Asia-Pacific (most notably Japan).

Getting back to its industry focus, the public sector and telecommunications are important focus areasin addition to financial services and healthcare. The company is working on industry-specific flavors ofits solutions and reports working on the “Evidian IAM Suite for healthcare,” which will include workflowsand provisioning connectors for typical healthcare environments.

With regard to market segments, most IAM suite vendors have a nearly complete medium-sized to largecompany focus, and the sub-1,000-employee market (and even the sub-5,000 market) typicallyaccounts for a small percentage of revenues. The sub-5,000 market finds much greater representationin the Evidian installed base compared with the other vendors profiled in this report. Although this couldbe an unintended fallout of the vendor’s choice of sector – healthcare institutions in Europe tend to besmaller than typical client organizations in other IAM technology-intensive sectors – Evidian’s portfolioincludes the “Ready-To-Go-SSO” edition (aimed at companies with 500–5,000 users), and the vendorreports working on additional SME-focused packages.

The Evidian IAM Suite (Version 8) is a well-proven, mature product that supports all core areas of IAM,including identity, access, and role management. The solution conforms to the modern tenets of IAMmanagement, such as strong authentication, role-based access management, audit-orientedentitlements status reporting, and support for identity federation standards. Evidian’s positioning focuseson the IAM basics, an integrated, organically developed product that is relatively easy to implement. Tosummarize, Evidian is a perfectly competent IAM technology provider with strong geographic and sectorniches, but also a vendor that could significantly improve its presence across geographies.

Recommendation: Consider

Evidian has advanced on Ovum’s ranking from the “Explore” category in 2008’s Decision Matrix to the“Consider” category. The vendor’s good scores in the Technology dimension (marginally lower thanMicrosoft’s) and above-average Customer Sentiment score have led to its “Consider” rating. A strongcontender in Europe, Evidian merits closer evaluation by client organizations from that region. Also,healthcare firms across regions would do well to take a closer look at Evidian’s offering, and thevendor’s tailored offering for this sector is arguably more compelling than the Technology scores (whichare designed to be equally relevant to all sectors) seem to suggest. Overall, Evidian is a strongcontender that has carved a few very well-defined niches.

Hitachi-ID: Identity and Access Management Radars



Hitachi Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.4: Hitachi-ID Identity and


This is the first time Hitachi-ID has been included in the Ovum Identity and Access ManagementDecision Matrix, and the vendor has scored well on multiple fronts. The vendor in its present form beganlife in 2008 with Hitachi’s acquisition of M-Tech, and operates as a subsidiary of the Asia-Pacific giant.The Hitachi-ID portfolio is strong on many IAM Technology dimensions, including User Provisioning andPassword Management. The vendor does not focus on the web access management and web andenterprise SSO markets. Hitachi-ID Customer Sentiment scores are exceptional, and it outscores morethan eight of the other vendors profiled in this Decision Matrix on six of the eight Customer Sentimentdimensions. The fact that Hitachi-ID’s IAM portfolio is one of the few (nearly) full-suite products thathave been built entirely organically could have a role to play in the exceptional Customer Sentimentscores. Hitachi-ID is small compared with the IAM behemoths and derives less than 10% of its revenuesfrom the Asia-Pacific market. It therefore seems unlikely that the vendor is leveraging the scale of theparent company in the fullest possible way. Hitachi-ID’s strengths are undeniable, and Ovum believesthat the company could significantly expand its installed base.

One interesting aspect of Hitachi-ID’s IAM suite is password synchronization for SSO as opposed to thetraditional method of system user authenticating, which manages credentials for all other systems.Though not without its trade-offs, the password synchronization approach certainly has the potential toreduce SSO complexities. The simplicity that password synchronization affords is part of a broaderHitachi-ID theme, namely relatively low-cost IAM implementation. Low-cost implementation is Hitachi-ID’s stated goal, and the company relies partly on a good range of preconfigured options forimplementation (such as preconfigured “most likely” workflows) and an impressive range of connectorsto target applications to realize its goal. Hitachi-ID is among the four top performers in the “InfrastructureSupported” Technology dimension, which is highly unusual for an IAM vendor of its size. Only Novell,CA, and IBM score higher than Hitachi-ID in this dimension, and none of the vendors of comparablesize score close to Hitachi. The IAM vendor’s role management capability set is comprehensive, andsupport for cloud-delivered applications includes the now-mandatory set of SaaS applications, GoogleApps and Salesforce. Cloud and DLP are not a part of Hitachi’s branding and the vendor’s coremessage remains simplicity and low TCO. For most its life, M-Tech Systems was relatively isolated andfocused on a customer demographic that did not have significant in-house IT talent and/or deepsystems integrator relationships, and this legacy is manifested in Hitachi-ID’s offerings.

Ovum believes that Hitachi-ID will continue to be valuable in deployment sites that are expanding thescope of IAM from web access management and web SSO to a well-structured system for provisioningand de-provisioning and password management. Hitachi’s offerings in the relatively smaller parts ofIAM, such as privileged user management, are impressive as well.


An impressive Customer Sentiment score and a Technology score that is just lower than the numbersscored by the largest IAM vendors earns Hitachi a “Consider” rating. Hitachi’s Technology score ismarginally lower than Microsoft’s, which is impressive considering the Redmond-based giant’s range ofpartnerships. The new entrant in the Decision Matrix has impressed on all fronts, and its positioning onthe Technology front is clear. Hitachi does not operate in the web SSO and Access Control markets,preferring to rely on partnerships. Apart from these sub-markets the vendor has a full suite, and Ovumbelieves the way forward for Hitachi is geographic expansion.

IBM: Identity and Access Management Radars

IBM is among the largest vendors in the IAM space, and its Market Impact scores reflect its status asan identity and access behemoth. Scoring well across all three major dimensions, IBM registers thehighest Technology score, beating CA, Novell, and Oracle. IBM scores the highest or close to thehighest in our group of nine IAM vendors across most Technology dimensions, including Enterprise andWeb SSO, User Provisioning, Password Management, Access Control, Federated IdentityManagement, and Infrastructure Supported. In terms of its market impact, IBM is predictably recognizedwidely – IBM has one of the highest scores in the Recognition dimension – as an IAM suite providerand has above-market-average growth plans. This is particularly impressive given the size of its IAMbusiness. In this research exercise the Customer Sentiment scores of the largest IAM vendors havemostly been unimpressive, but IBM manages to beat this trend. Its Customer Sentiment scores areabove average in five of the eight Customer Sentiment dimensions.


IBM’s IAM suite comprises Tivoli Identity and Access Manager, Tivoli Identity and Access Assurance,Tivoli Access Manager for Enterprise Single Sign-on, Tivoli Identity Manager, Tivoli Access Manager fore-business, Tivoli Access Manager for Operating Systems, Tivoli Federated Identity Manager, TivoliFederated Identity Manager Business Gateway, Tivoli Unified Single Sign on, and Tivoli DirectoryServer. As this long list suggests, the portfolio is comprehensive. IBM’s score extends beyond the listcited here into all adjacent areas to IAM, such as DLP, GRC, and SIEM.

The depth of IBM’s enterprise relationships allows security and service management concepts to bebrought into IAM projects more than for other vendors with extensive IT infrastructure managementportfolios. (Naturally, the overlap is lot is much more relevant to the professional services aspect ofimplementation projects than Technology integration.) This implies that IBM has few peers when anenterprise faces truly transformational problems. On the same note, the compliance problem is not justtackled by technology – incidentally, IBM recently acquired GRC vendor OpenPages – or by IBM’sformidable professional services team, but also by partnerships, such as the crucial one with Deloitte.

Content and the quality of professional services are important aspects of GRC, and IBM is certainlystrong in these areas. Although GRC is not part of this report’s scope, this adds to Ovum’s stance thatIBM’s strength in the core IAM and adjacent areas make it a truly formidable force when an enterpriseis faced with a multidimensional IAM challenge of significant scale. The counter argument to IBM’sscale differentiator is the small vendor argument that their products have strong integration capabilitieswith configurations that are mapped well to market requirements. However, there are areas within IAM,such as user provisioning, where the requirements span far beyond IAM technology elements, whichmeans a large global enterprise has few real alternatives other than a vendor whose expertise runs thegamut from industry-specific regulations to building connectors to sector-specific applications. This isnot to say that IBM does not have IAM solutions for smaller organizations, but that IBM’s truedifferentiator is its ability to handle large-scale problems through the size and scale of its professionalservices division and by orchestrating the strengths of its partners.



IBM Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.5: IBM Identity and



The highest Technology rating among the top-nine vendors in the IAM market and an above-averageCustomer Sentiment score earns IBM a “shortlist” rating. Across all three dimensions, including the sizeof the vendor’s IAM business and the high recognition its IAM business receives, it is clear that IBM isat the top in the IAM market. Transformational IAM problems require a vendor with IBM’s diverse skillsets and scale, and its position among the top IAM vendors reflects this.

Microsoft: Identity and Access Management Radars



Microsoft Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.6: Microsoft Identity and


As would be expected of Microsoft in any enterprise IT market, the vendor’s products and role in thesector are widely recognized and understood. Predictably, our research indicates that Microsoft’s IAMmarket impact is impressive. In addition, Microsoft scores well on the Technology front, registeringimpressive scores across the Enterprise and Web SSO, User Provisioning, Password Management,Access Control, and Federated Identity Management dimensions. Even in the Customer Sentimentdimension, Microsoft scores higher than average on Product Quality, Portfolio Depth, Service Levels,and Client Engagement. Although certainly among the leading IAM vendors, Microsoft scores amongthe lowest on the Infrastructure Supported dimension, limiting its applicability in non-Microsoftenvironments.

Forefront Identity Manager 2010, the Windows Server 2008 R2 Active Directory, Active DirectoryFederation Services 2.0, and Windows Identity Foundation are the key components of the MicrosoftIAM suite. Forefront Identity Manager (FIM) replaces Identity Lifecycle Manager 2007 and is aimed atpromoting self-service, integration with familiar Microsoft tools, and enhancing ease of use, which inturn promotes business-user participation. FIM is the seat of policy management, certificatemanagement, and user management, and AD Federation Services enables authentication acrossdomains.

Microsoft partners with major web access management, user provisioning, and E-SSO providers suchas Hitachi-ID, Evidian, and Courion. Microsoft’s current IAM positioning is focused on its new andimproved FIM. Related solutions and areas such as cloud, SIEM, IT GRC, and DLP integration do notseem to be a focus area (although the Redmond giant does have the capabilities for each in some form,through partnerships, or both). FIM’s capabilities ease compliance and reduce helpdesk and ITadministration costs, and Microsoft is firmly in line with the prevailing industry notions of the evolutionof the IAM function. There is little to doubt Microsoft’s status as a full-blown IAM vendor, with aTechnology aggregate score that comes right after the IAM heavyweights, CA, IBM, Novell, and Oracle.

On a related note, Microsoft’s Customer Sentiment scores indicate that the need for tailored IAMsolutions by industry is very real. There are considerable differences in how the vendors have scoredin the “Vertical Specialization” Customer Sentiment dimension. Ovum believes the one industry thatrequires a distinct sector focus is the healthcare sector, on account of the many sector-specificapplications and sometimes-unique user habits, and insight from vendors indicates varying degrees offocus on the sector. In early 2010, Microsoft bought Sentillion, a provider of applications for thehealthcare sector. Sentillion’s portfolio includes SSO solutions, and Microsoft announced that thecompany would consider how Sentillion’s IAM capabilities might work in conjunction with FIM 2010.

By most accounts Microsoft is a low-cost provider of IAM technology and has a formidable partnernetwork. A good percentage of small and medium sized enterprises (SMEs) are likely to turn toMicrosoft first as their IAM technology stack provider. Therefore, it is good news that Microsoft hasincorporated the well-proven concepts of business-driven group requests, approval workflows, identitysynchronization, and self-service into its latest release. Finally, it is important to mention in this contextthat the Microsoft installed base does not lack large-enterprise deployment cases.


Partly through its well-known partnership development capabilities, Microsoft has assembled an IAMoffering that marginally trails the “Big Four” vendors. Its Technology score, alongside a well-above-averageCustomer Sentiment ranking, ensures that Microsoft is placed in the “Consider” category. Predictably,Microsoft falls below average on the “Infrastructure Supported” category, registering a series of Ns onOvum’s list of key platforms. Microsoft’s rating is unchanged from the previous edition of the DecisionMatrix, and there is little to doubt its role as a full IAM stack provider, particularly for Microsoft shops.

Novell: Identity and Access Management Radars

Novell’s IAM suite (Identity Manager r4) is part of the company’s Identity and Security Management (ISM)unit, and the vendor provides a comprehensive suite of IAM solutions. Novell scores close to highest in theTechnology dimension of the Decision Matrix framework, and is ranked high across most Technologycategories. The Linux major almost achieves the highest scores in the Authentication dimension, and equalto or close to the best scores possible (according to our evaluation parameters) against User Provisioning,Password Management, Access Control, and Federated Identity Management. There are a number ofnoteworthy aspects to Novell’s IAM positioning, such as its e-Directory and bundling of Novell IdentityManager, Access Manager, and SecureLogin with Sentinel, the leading SIEM product. The third importantaspect of Novell’s IAM suite is its support for a wide range of platforms, an approach that is manifested inNovell’s score on the “Infrastructure Supported” Technology dimension, which is close to the highest.Another important differentiator is the home-grown nature of Novell’s IAM suite. How well the differentpieces of IAM integrate together remains a critical success factor in this market, and Novell certainly scoreswell on this front. However, Novell has not shied away from acquisitions when required. Most notably, itacquired Fortify in 2009 for the latter’s privileged password management technology.

However, Novell has so far been unable to convert its exceptional technical strengths into industry-leader status in terms of market impact. The vendor scores well below its other IAM suite heavyweights,such as IBM, Oracle, and CA, in the Market Impact dimension, and growth in recent years has beenuneven. Its Customer Sentiment scores are also average for a vendor with significant technical depth.


Interestingly, the customer perception of Novell’s portfolio depth is not as high as the vendor’sTechnology scores seem to suggest, possibly indicating that there is scope for better marketing of itsstatus as an IAM heavyweight. A related point here is that Novell lacks the major systems integratorpartnerships that every major IAM stack provider has had for some time. While Novell’s majorcompetitors all have partnerships spanning the global majors (such as Deloitte), Novell’s roadmap doesnot seem to indicate a focus on expanding the scope of its partnerships.

Novell’s current market positioning focuses on compliance (which has always been a major area offocus), on managing identity and access in virtualized environments, and on incorporating cloud-delivered services into its IAM scope. On the cloud front, Novell’s scope includes provisioning and SSOfor cloud-delivered applications, controlling mixed environments in which workloads are moved acrossdata centers to cloud infrastructure, and offering hosted and MSP-provided identity services that couldbe particularly appealing to the SME market. On the compliance front, the focus is on providing audit-level reporting, user activity monitoring and correlation, and SoD violation monitoring. The SAP Novellpartnership with regards to GRC, which involves integration (and more) of SAP’s GRC products withNovell’s ISM solutions, is noteworthy in this context.

As would be expected of a vendor of Novell’s nature, the IAM portfolio is relevant to all geographies,industry sectors, and enterprises of varying sizes. The traditional heavy users of IAM, namely financialservices, the public sector, healthcare, and telecommunications, predictably form an important part ofNovell’s installed base. However, it is important to mention that Novell has significant presence in theutilities and manufacturing sectors.



Novell Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.7: Novell Identity and



Novell’s close-to-highest score in the Technology dimension and moderate Customer Sentiment scorehave placed the vendor in the “Shortlist” category. The Market Impact scores are lower than would beexpected of an IAM vendor of Novell’s stature. However, there is little to doubt the comprehensivenature of Novell’s offering and its relevance to diverse IAM requirements. The research exercise for thisreport is based exclusively on vendors’ performance in the IAM category, and Ovum advises enterprisesto incorporate their understanding of the vendor’s overall business into any selection decisions.

Oracle: Identity and Access Management Radars



Oracle Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.8: Oracle Identity and


Always a very prominent IAM vendor, Oracle has become even more of a behemoth following its SunMicrosystems acquisition. The vendor scores well in all Ovum’s evaluation dimensions, particularly in theTechnology dimension and Market Impact, in which it achieves the highest overall score. Oracle scoreswell in all the Technology dimensions, registering maximum possible scores or close to maximum possiblescores in User Provisioning, Enterprise and Web SSO, Password Management, Federated IdentityManagement, and Infrastructure Supported. With over 5,000 IAM customers, Oracle has presence acrossall major sectors, with the traditional IAM intensive sectors, financial services, healthcare, and the publicsector leading. Its geographic mix of revenues is in line with the wider market, with North America leading.

Of course, no discussion on Oracle is possible without touching on the problem of technologyintegration post Sun Microsystems acquisition, and the related announcements (and the July 2010Oracle Identity 11g release) do not compel existing Sun and Oracle customers to make significantdecisions soon (or at least over the next two years). Its plans involve rebranding of products andprioritization in the case of overlapping capabilities (in accordance with Oracle’s “continue andconverge” policy), but existing commitments will be honored for product lines that will no longer be partof Oracle’s strategic IAM roadmap.

Oracle’s competitors, CA and Novell, had launched “license exchange” programs to take advantage ofthe post-acquisition situation, but Ovum has seen little evidence that the state of the market haschanged in any significant way as a result of these competitors’ initiatives. Oracle’s Customer Sentimentscores have not changed significantly since the last time Ovum surveyed its enterprise clients,indicating that the Sun acquisition has not led to much change in perception about Oracle’s productsand the vendor’s service delivery capabilities. The level of overlap across its many technology areas issignificant, but in keeping with Oracle’s broader post-acquisition technology integration policy, somereasonably specific guidelines on the roadmap were released in January 2010. Parts of SunMicrosystems’ IAM portfolio have been added to the Oracle IAM portfolio, renamed and repositioned,and will now be part of the common strategic roadmap. Sun’s Role Manager stays and will form thefoundation for Oracle Identity Analytics. Sun Directory Server Enterprise Edition, Oracle InternetDirectory, and Oracle Virtual Directory will now collectively form a new product called Oracle DirectoryServices Plus. Sun’s Open SSO Fedlet (renamed Oracle Open SSO Fedlet) and Secure Token Service(now Oracle OpenSTS) are now part of the strategic roadmap. Sun’s Identity Manager is now knownas Oracle Waveset, and Oracle will continue developing Oracle Identity Manager to make the solutionfamiliar to Waveset users. Oracle is offering existing Sun IAM customers equivalent Oracle products forfree and plans to release migration tools in 2011.

Although the scale and level of overlap is unique, acquisitions are not a new concept for the Oracle IAMteam. Oracle’s IAM portfolio has been built partly through a series of acquisitions. In 2007, Oracleacquired Bridgestream, a role management vendor, and Bharosa, a provider of online fraudmanagement and strong authentication. Although Oracle’s overall direction partly reflects the goals ofIAM suite vendors (such as superior role management and IAM integration with GRC), the focus of theJuly 2010 11g release is on integrating the product stack, and the vendor’s approach has been branded“Service Oriented Security.” Service Oriented Security is aimed at providing developers with a set ofreusable IAM services, such as authentication, authorization, administration, and auditing, which canbe leveraged as part of any application development effort. The approach is not new, and Oracle hasbeen talking about this since at least 2008.

In the long term, migration for some of Oracle’s and the erstwhile Sun Microsystems’ customers wouldnot exactly be painless. However, the portfolio collectively offers the right pieces for a diverse set ofrequirements, the lessons learned from many post-merger technology acquisitions are being used tolessen the pain as much as possible, and nobody is being forced to rip and replace anything in the shortterm. To summarize, Oracle provides a comprehensive set of IAM capabilities, and its focus is onenabling consumers of IAM technology to use elements of the considerable Oracle IAM stack flexibly.


Arguably the most acquisitive enterprise software company in the world, Oracle has brought togethertwo IAM portfolios that were both strong contenders in their own right. A high Technology score and aCustomer Sentiment score that is competitive among vendors of a similar scale earn the new IAM entitya “shortlist” rating. Oracle has done a good job of managing customer concerns after what was arguablythe largest IAM acquisition in the market to date. Overall, this is certainly a comprehensive IAM stackand a vendor that merits closer evaluation in most identity and access technology selection scenarios.

RSA Security: Identity and Access Management Radars

RSA, the security division of EMC, is the authentication market leader and partners with Courion forprovisioning and role management. The RSA IAM suite comprises RSA Access Manager, RSA IdentityProtection and Verification, RSA Federated Identity Manager, RSA SecurID, and RSA AdaptiveAuthentication. Strong authentication, adaptive authentication, access control, federated identitymanagement, and DLP and SIEM are RSA’s primary focus areas. RSA’s overall Technology score,given its specialization strategy, is predictably low compared with the heavyweights and even muchsmaller vendors such as Hitachi-ID and Evidian. As would be expected of RSA, the vendor’sAuthentication score is the highest. However, the vendor scores well in the Market Impact dimensionand is as well recognized as an IAM provider as the largest full-suite vendors. In the CustomerSentiment dimension, RSA performs reasonably well, beating the average in all dimensions, except,predictably, Portfolio Depth, and less predictably, Client Engagement.


Getting back to the Market Impact dimension, RSA’s primary sectors are financial services, government,healthcare, and telecoms. The geographic spread of RSA’s business aligns well with the market average,with North America leading and the Asia-Pacific market accounting for lower revenues than the EMEA region.



RSA Maximum category score Average across vendors

Technology radar

Product quality


Portfolio depth


Customersupport






Clientengagement

Servicecapabilities

Financialstability


Servicelevels

8

10

6

4

2

0

8

6

4

2

0

10

0

2

4

6

8

10




Vertical presence

Figure 6.4.9: RSA Identity and


RSA Security typically plays the role of the best-of-breed provider in deals that involve the IAM suiteproviders, and the large-enterprise segment is its focus area. On the strong authorization front, RSAdelivers strong authentication through both hardware and software tokens and also provides digitalcertificates and knowledge-based authentication services. RSA’s adaptive authentication servicesprovide risk-based authentication services to consumers of web-delivered applications in a way that ispolicy-based, and the level of authentication enforced is based on the risk profile of the requestor. Thepromise of strong authentication has been moderated by the realization that strong authentication doesnot scale well and a risk-based approach is necessary.

To that end, RSA provides different levels of authentication, such as “what you know”-based (user-selected images), invisible or automatic (device identification-based), one-time-password-based (whichcould be based on both hardware and software tokens), and out-of-band. The last approach, out-of-band authentication, is relatively new and has significant growth potential for high-risk transactions,given the rise of “man-in-the-middle” attacks. To summarize, RSA has few peers when a cost-effectiveand strong access control system is necessary, particularly when transactions and a stringentregulatory environment are involved. The same capabilities and strategic objectives make RSA a strongcontender when a large mobile workforce or large partner community are involved. With regard to thelatter, Ovum notes that RSA scores close to the maximum in the Federated Identity Managementdimension.

Across the areas adjacent to IAM, SIEM, DLP, and GRC, RSA is strong and active. However, it is notclear to what extent these solutions currently work in conjunction with the IAM suite. IAM coupled withSIEM and DLP is certainly part of how IAM is likely to shape up in the medium term, and RSA is wellplaced to benefit from the need to formulate a risk, compliance, and content-focused approach to IAMmanagement. In January 2010, parent company EMC acquired Archer Technologies, a leading providerof GRC solutions. RSA’s self-reported goals driving the acquisition included GRC working in conjunctionwith RSA’s DLP and SIEM solutions.

Recommendation: Explore

The strong authentication specialist would hardly claim to be an IAM stack vendor, and has stable andmature partnerships to fill the areas in the market that RSA does not operate in. Naturally, its aggregateTechnology scores reflect that focus. However, the RSA scores this year are lower than what ordinarilywould be expected of RSA on account of the vendor quitting the E-SSO business in 2009. These lower-than-expected Technology scores and a Customer Sentiment score that is marginally lower thanaverage have led Ovum to place RSA Security in the Explore category.



WWW.OVUM.COM

CHAPTER 7:

Technology Audits


OVUM


WWW.OVUM.COM

CA:

CA Identity and AccessManagement Suite


OVUM

CATALYST

The CA Identity and Access Management Suite is a comprehensive set of products that, eithercollectively or individually, can be used to effectively meet the identity management requirements of itscustomers. The identity management and access control requirements of each organization are drivenby a number of business and security factors, including compliance, audit, data protection, and riskawareness. Within its content-aware identity and access management (IAM) product portfolio, CATechnologies has the range and depth of technology to address the specific identity managementrequirements of most organizations.

� CA IAM has three focus areas: managing identity, controlling user access, and maintaining controlover the use of information. All of these issues are relevant to the vast majority of businessorganizations.

� This extended IAM solution will be of interest to any organization that recognizes the need toaddress compliance issues by combining its identity management and information protectionstrategies.

� Platform coverage is broad, making the solution suitable for distributed and mainframe operations,as well as for virtual, on-premise, and cloud environments.

KEY FINDINGS

OVUM VIEW

CA Technologies has been actively involved in the management of identity and the delivery of user andbusiness protection services that control enterprise access for more than a decade. During this period,the company has developed, acquired and integrated an extensive range of identity-driven securityproducts, which now shape its ‘content-aware’ approach to IAM.

CA

CA Identity and Access Management Suite

CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE 113355

TECHNOLOGY AUDIT

Strengths: � Centralized IAM that includes user provisioning and integrated workflow.

� Provides a comprehensive range of user activity and compliance reporting

facilities.

� Controls the actions of privileged users for improved security.

� Web access management and web single sign-on (SSO) provide secure, user-

friendly web access.

� Integration of data loss prevention (DLP) content knowledge provides improved

control over information resources.

Weaknesses: � Industry concerns over cloud security may hold back future progress in this area.

Key Facts: i CA Technologies is aligning the use of DLP services with its IAM offering.

i Security information and event reporting add enhanced audit and compliance

services.

The CA IAM Suite consists of an integrated set of products and services. Universal workflow,provisioning and role modeling, access management, federation, compliance, reporting, and other coreIAM services can be leveraged across the CA IAM Suite, making CA Technologies one of only a smallnumber of vendors that have an end-to-end, full-lifecycle IAM capability.

Importantly, CA Technologies’ content-aware approach to IAM adheres strongly to industry standards.This helps to position the company as a software vendor that can fully support business and operationalrequirements in order to simplify infrastructure security processes, while continuing to work withproducts that retain a common look and feel across the business. CA Technologies supports a widerange of common hardware and application platforms, directories, and databases, and has the abilityto work with mixed environments that include traditional, virtual, and cloud-based models. Also,because of its range of information protection products, CA Technologies has extended its identitymanagement focus to include data usage and management services, including DLP.

Recommendations

� The target market for CA Technologies’ content-aware IAM Suite is predominantly large enterprisecustomers. These are typically organizations with over 5,000 employees or businesses with annualrevenues that exceed $500m. Smaller organizations working in highly regulated industries can also gainvalue from deploying the product set, but need to consider the cost and operational justifications carefully.

� Universally, the strongest markets for IAM are those sectors that are highly regulated such as financialservices, government, and healthcare. CA Technologies’ customer base is consistent with this, although,because of the maturity of its product set, it has a presence in most vertical markets.

� CA Technologies is well positioned to support new and emerging markets, particularly where growth issupported by the use of virtual systems and cloud-based services. Its access control product helps to notonly secure virtual systems, but also the hypervisor itself, and its log management facilities provideconsistent activity and compliance reporting across all environments.

SOLUTION OVERVIEW

CA Technologies’ IAM approach is comprehensive, due to its range of available products, and wide-ranging, as it can provide numerous levels of business and user protection. The fact that it is wide-rangingis predominantly a strength, as whatever range of user and business protection services an organizationrequires, CA Technologies is likely to have a product to address it. In addition, the breadth of the solution,and the fact that it is highly integrated, can often simplify management of the components throughcommon interfaces, among others. However, with any IAM solution (whether from a single vendor ormultiple vendors), a phased approach is highly recommended. Each organization needs to be aware thatthe foundations of IAM ought to be fully addressed before taking on extended elements such as identityfederation and external user management, yet these elements continue to be seen as market drivers.

CA Technologies’ content-aware IAM suite consists of an integrated set of products that automate themanagement of users and their identity-based access to information, throughout the lifecycle of theirrelationship with an organization and its systems. To put this into context, CA Technologies’ IAM Suiteprovides a range of core IAM services that manage identity, control user access, and control use ofinformation resources. They are administered through a centralized workflow-based identity lifecyclemanagement approach that includes the creation, modification, deletion, and audit level reporting ofuser-access rights. Core IAM facilities include:

� Entitlement-based role management, which delivers full-featured automated role discovery, real-timerole management, entitlement management, and audit and analysis reporting.

� Web and enterprise access management, which protects against the improper use of key applicationsthrough its ability to restrict and control web and enterprise application access.

� Web and enterprise SSO, which provides secure single-source access to web and enterprise facilities.

� Federated identity management (FIM), which allows identities and their associated access rights to beshared across business operations and with third-party business partners.

� Privileged-user controls are addressed on two levels: privileged-user password management providesone-time administrator passwords and separation-of-duty controls; and privileged-user managementdelivers granular controls for operating system resources.


� Unix Authentication Broker enables Unix and Linux servers to authenticate users through their ActiveDirectory (AD) credentials.

� Service-oriented architecture (SOA) security, including web services security controls.

� Software development kit (SDK) facilities, which allow IAM facilities to be embedded in homegrownapplications.

� Software-based strong authentication, including risk-based authentication for fraud prevention.

An extended range of user and data protection facilities to address business and operational securityrequirements is also available. This includes:

� A suite of DLP products that can be used to discover, classify, and control the use of sensitiveinformation.

� Log management, analysis, and reporting facilities that help organizations to understand andmanage user access to information resources and, as a result, help to address compliance and auditrequirements.

The products that CA Technologies uses to deliver its range of IAM protection services are all wellestablished within the identity management industry, and include:

� CA Identity Manager (version 12.5).

� CA SiteMinder (version 12.0).

� CA Access Manager (version 12.5).

� CA Role & Compliance Manager (version 12.5).

� CA Federation Manager (version 12.1).

� CA SOA Security Manager (version 12.1).

� CA DLP (version 12.5).

� CA Enterprise Log Manager (version 12.1).

The architecture diagram in Figure 1 identifies where each of these products fits within CATechnologies’ IAM infrastructure and how they interact as a complete IAM suite. It also shows how coreIAM services such as provisioning, access entitlements and audit reporting are delivered.


Role & Compliance Manager Identity Manager

Access ControlSiteMinder

Entitlements(Access)

Provision(Identities, Access)

Audit

Audit

Sum

mary

Enterprise Log Manager

User Activity and Compliance Reporting

DLP

Data lossprevention

Host AccessManagement

PrivilegedUser Mgt

SOAFederationWeb AccessMgt w/SSO

RoleManagement

IDGovernance

Provisioning ID Admin

Figure 1: The CA Identity and

Access Management Solution Source: CA Technologies

SOLUTION ANALYSIS

Authentication

Organizations need to maintain strong, efficient and, at the same time, appropriate user-authenticationsystems: strong, to address compliance and systems protection issues; efficient, to ensure that usersare able to fulfill their roles; and appropriate, to allow user access that does not inhibit productivity. CATechnologies promotes user efficiency through its centrally managed authentication, authorization, andSSO facilities, and its automated user provisioning services. Its proposition also extends to the use offederation across collaborative business relationships.

CA SiteMinder manages the authentication of users, and controls which users are authorized to accesswhich applications. It retains the accountability for determining the conditions and controls under whichnormal access and extended user privileges can be provided. At the same time, it retains responsibilityfor simplifying access for user groups, relieving the systems administrator’s security burden, andutilizing its monitoring, policy enforcement and reporting services to address necessary regulatorycompliance issues. SiteMinder supports a wide range of authentication techniques, which is an issueof growing importance to most business organizations as the number and range of information-accessdemands continues to grow.

The CA IAM suite also includes the WebFort and RiskFort products, which were part of the recentacquisition of Arcot. Arcot WebFort is a software-only multi-factor authentication solution that isintegrated with CA SiteMinder to transparently protect and verify web users’ identities. It protects usersfrom identity theft and fraud without changing their familiar sign-on experience and without the need forhardware tokens. Arcot RiskFort is a fraud detection and risk-based security system that prevents fraudin both consumer and enterprise online services. It also provides organizations with the ability todetermine and enforce different levels of authentication based on the acceptable amount of risk for eachtransaction. When combined with CA SiteMinder, this set of products provides high flexibility andincreased security for user authentication services.

Provisioning, role management, and certification

Provisioning, role management and certification are important elements of IAM. In the past, poormanagement and maintenance have caused organizations to lose control over users, entitlements, androles. CA Technologies’ lifecycle approach begins with the initial creation of user identities. It then takesinto account the allocation of accounts and access entitlements that users require, includes the ongoingmodification and validation of the need for these entitlements as the user and their roles change, andcontinues until the removal of provisioned rights on termination.

This approach makes use of role management and role mining capabilities within CA Role &Compliance Manager to streamline the management of users. It also provides compliance processesand controls, such as automated entitlements certification or segregation of duties policies, to ensurethat the relevant mandates are addressed. CA Identity Manager provides identity administration,provisioning, and auditing for managing user identities. For web users, the product providesprovisioning and management of all usage rights and business roles.

From a cost and efficiency standpoint, many of the ongoing provisioning services offered can be set upto be delivered using self-service and delegated administration facilities. CA Role & ComplianceManager adds to the product set’s range of identity management services by streamlining the processof defining, managing, and governing roles and entitlements on an ongoing basis. In addition, CAEnterprise Log Manager provides audit-level user activity monitoring and compliance reporting tocomplete the provisioning and role management picture.

Password management

Password management covers user authentication approaches, from those that are supported by theuse of simple static passwords, through to well structured, constantly changing password managementinfrastructures that operate alongside core IAM components, including SSO, provisioning, rolemanagement, and associated helpdesk services.


At the high end of the password management arena, there is a particular need to provide controls that arecapable of dealing with privileged-user access. Privileged-user management and privileged-user passwordmanagement facilities are needed to ensure that key operating system resources and administrator accessrights are properly controlled. These are important security areas that many organizations have failed tocontrol, leading to operational system vulnerabilities and lax administrator controls.

CA Technologies provides privileged-user protection facilities that address both systems and administratorcontrol issues. Its Access Control product helps to reduce the risks involved in privileged usage by providingmore control over privileged users and their access rights. It addresses administrator access to enterprisedata, includes separation-of-duty controls, addresses server-to-server security across business networksand, using CA Enterprise Log Manager’s facilities, it provides secure management reporting services.

Access control

For organizations in general, one of the most complex IAM issues revolves around maintainingadequate levels of control over their system users. It is an ongoing requirement that has to be enforcedproperly. CA Access Control addresses the across-enterprise access control demands of all commonsystems resources. This includes providing control over all operational systems resources, includingsystems, applications, programs, files and processes.

As already discussed, these controls are also required to enforce the separation of administrative dutiesand server controls that are consistent with industry best practices and fulfill audit requirements.

FIM

Today’s interconnected business environments require partner interactions that involve shared accessto information, making closer collaboration a necessity. Federated partner networks and the need forincreased inter-company connectivity also bring with them serious complexity issues, which necessitateFIM products that are able to share information securely and openly at a level that meets the needs ofeach partner in a federated relationship.

CA Federation Manager is a browser-based product that supports federated relationships acrossinternal and external security domains. It controls secure SSO-based interoperability across securitydomains, including the information-sharing (federated) partnerships that organizations choose toactivate with their business partners or cloud providers. The product’s role is to securely manage allinteractions between authorized partnerships, as users transact and collaborate on projects that crossinternal and external security boundaries. This involves enabling seamless access to third-partyapplications, while at the same time using its automation services to drive efficiency and to support newbusiness opportunities.

Extended security management facilities

Included in CA Technologies’ extended content-aware IAM infrastructure is the ability to control howinformation is being used. Its additional DLP and security information and event management (SIEM)facilities allow organizations to discover, classify, manage and report on data usage.

CA DLP provides a range of data protection facilities that protect data-in-motion across networks, data-in-use on endpoint devices, and data-at-rest on servers and storage repositories. Its use can be alignedwith CA Technologies’ core IAM products so that common usage policies and actions can be set up.

CA Enterprise Log Manager enables the filtering, correlation, and consolidation of information andevents, and provides reports that can be presented in a range of business and technical views. It alsoprovides a large number of pre-defined reports tailored to the requirements of specific internationalregulations and best practices.

PRODUCT STRATEGY

Across most industries, the core need for identity-based control and protection systems is moving fromthe use of owned and user-managed infrastructure systems to a mixed range of traditional and virtualoperations. The emerging use of cloud services also adds to the need for IAM facilities that can provideoperational consistency.


CA Technologies recognizes that, despite short-term security concerns, there will be growth in the useof cloud-based environments. It is therefore positioning itself to take advantage of this up-and-comingtechnology trend with a strategy that includes the provision of ‘security to the cloud’, which extends theuse of enterprise security facilities to cloud-based SSO and access control services. Its ‘security for thecloud’ services provide security protection and secure operating environments for cloud providers, andits ‘security from the cloud’ services provide security-as-a-service options for organizations that wish tomake use of cloud-based protection services.

MARKET OPPORTUNITY

The target market for CA Technologies and its IAM suite is large enterprises. The company’sexperiences with IAM show that while smaller organizations still need it, their problems are often lessinhibiting and generally less severe than those of their larger counterparts. CA Technologies hascustomers in all markets, but with a strong emphasis on heavily regulated sectors such as financialservices, healthcare, and security-conscious areas of government and federal agencies.

The company’s products are sold worldwide, but almost two-thirds of its business is still done in the US,with around one-third now coming from Europe, the Middle East and Africa (EMEA) and the emergingFar East markets.

Almost 98% of sales are made direct-to-market using the company’s sales team, while the remaining2% is conducted through resellers and business partners.

CA Technologies sees its main IAM competitors as large software vendors such as IBM and Oracle, andto a lesser extent Novell and RSA, as well as Courion in specific areas.

GO TO MARKET STRATEGY

Two licensing models are available: perpetual licensing, with options that vary by product; and asubscription model. In the former, for example, CA SiteMinder is licensed based on the number andtype of user, whereas CA Access Control is licensed based on the number of servers being supported.The subscription model, on the other hand, uses the same licensing metrics as the perpetual approach,but payments are based on annual or multi-year agreements.

Key business and alliance partners include Atos Origin, Capgemini, and Deloitte, while country-based-services partners include Devoteam, EDB, Fujitsu (Australia), Logica, and Telecom Italia.

CA Technologies has a number of specific technology and distribution partner relationships:

� Radiant Logic – CA Technologies resells its Virtual Directory.

� Vordel – the Vordel XML gateway for threat protection is fully integrated into the CA SOA SecurityManager product set as an original equipment manufacturer (OEM) product.

� Others – CA Technologies also partners with over 50 additional technology partners through itstechnology partner program, including ActivIdentity, Anakam, Imperva, KSI, SafeNet, and Sentrigo.

Future enhancements to the IAM product suite are included in CA Technologies’ IAM roadmap. Theyinclude the expansion of its content-aware capabilities through the continued integration ofcomplementary components. This approach has particular relevance to CA SiteMinder and CA DLP,which are both being extended so that the sensitivity of the information being accessed can be a factorin the authorization decision. When considering entitlements and the potential for improper use, itcovers time-of-access issues and the user’s previous use of sensitive information.

IMPLEMENTATION

Average implementation timescales range from pilot projects of around 10 working days to enterprisedeployments of about 240 working days. Each implementation requires the technical services ofsystems and database administrators and, potentially, for the enterprise level option, Javaprogrammers. Business support needs to be provided by HR specialists.


CA Technologies offers a range of business support services that can be used to speed up deployment.Its ‘rapid implementation’ approach – which involves fast start-up, fixed-price, and fixed-projectimplementations that cover the most commonly requested IAM functionality – can be used to get IAMservices through to production more quickly. As part of this, CA Technologies offers education,transition, and support services. CA Technologies also offers solution implementations that providemore flexibility in scope and scale in order to address unique customer requirements, as well as post-implementation health checks for product and solution security.

A range of support services is available from CA Technologies, including business-critical supportservices, which are provided by CA Technologies’ support team. Business-critical support can beengaged by raising a problem ticket electronically via the web or via direct telephone contact.Customers can also search the CA Technologies problem database for resolutions. Typical supportpricing is set at around 20% of the product licensing cost and is in line with industry standards.

Customer training requirements are extremely variable. Most organizations require basic administrativetraining with courses based on the products purchased. These can be provided on site, at a local CATechnologies training facility, or online.

Deployment options include on-premise and hosted, with the former option remaining the mostcommonly used. CA Technologies provides consulting, deployment and training services so that itscustomers become confident in managing their own environment. For the hosted option, CATechnologies partners with a number of hosted services providers which manage its solutions fromapproved hosted environments.

DEPLOYMENT EXAMPLES

British Telecom

British Telecom (BT) provides networked IT, telecommunications and broadband services to customersaround the globe. To support future growth and ensure that its services remained competitive, BTneeded to build close relationships with its customers and suppliers, and provide secure access toonline resources. To achieve this, the company decided to standardize its identity management serviceson a single IAM provider.

After an extensive benchmarking exercise, BT chose CA Technologies, and its technology now formsthe backbone of BT’s reusable authentication capability for staff, suppliers, and customers. CATechnologies’ technology is used to perform around 36 million authentication transactions per day andto enable simplified sign-on for all of BT’s user communities.

The solution’s reusable authentication capability has helped BT to save an average of £4.5m per annumsince the operation went live in 2004. It is also said to have enhanced overall customer experience andto have improved BT’s competitive advantage by reducing its time to market for new applications. BThas also extended its CA SiteMinder Web Access Manager deployment with identity federation toenable authorized users to access applications and data hosted by some of the company’s suppliers.

DBS

DBS is one of the largest financial services groups in Asia, with operations in 16 markets, more than200 branches, and over 1,000 ATMs across 50 cities. The company needs to offer transactionalservices to its customers that are fast, convenient, and secure. Previously, it managed identities andaccess from within individual applications. DBS decided to implement an IAM platform that wascentralized and could integrate with its existing online systems. The company selected CA Technologiesand its SiteMinder, Identity Manager, and directory services as the basis of its IAM platform.

CA SiteMinder is used to provide two-factor authentication, and to eliminate the company’s previoussecurity silos. Users now have SSO across their financial applications, which has helped to improve theoverall user experience. CA Identity Manager is used to administer user profiles, track the distributionof hardware tokens, and allow customer self-service for password resets.

Using CA IAM technology, DBS has achieved the following benefits: two-factor authentication for allcustomers; improved customer satisfaction rates through SSO and self-service; reduced risk of frauddue to improved security; and self-service cost savings.


The Louisiana Rural Hospital Coalition

The Louisiana Rural Hospital Coalition (LRHC) is a state-wide organization that represents 41 smallrural hospitals. LRHC is responsible for finding ways to improve the level of healthcare servicesprovided to the rural communities that these hospitals support. The problems it faced included theinability to share hospital records securely, which resulted in Health Insurance Portability andAccountability Act (HIPAA) compliance issues. After a thorough evaluation project, LRHC selected anintegrated IAM solution from CA that includes SiteMinder, Identity Manager, and Access Control.

CA Identity Manager provides LRHC with a centralized identity administration interface for useraccounts. Additionally, it plans to use Identity Manager to provide self-service password-reset facilities.CA SiteMinder is used to authenticate users for the LRHC portal and to control access to its hostedapplications. CA Access Control provides authorized administrators with role-based access to thesupporting infrastructure and servers, protects sensitive patient data, and enables security policies thatenforce the segregation of duties, as required by HIPAA.

LRHC recognizes that it has achieved significant benefits through deploying CA Technologies’ IAMtechnology, including cost savings due to de-duplication, and the ability to share information betweenhospital practitioners, including shared access to patient records that can be accessed in real-time.Granular authorization to portal applications is also now provided, so that access to these applicationsis easier, without giving practitioners too many entitlements.

World headquarters EMEA headquarters

CA Technologies CA TechnologiesOne CA Plaza Ditton Park, Riding Court RoadIslandia Datchet, Slough, Berkshire New York 11749 SL3 9LLUSA UK

Tel: +1 (800) 225 5224 Tel: +44 (0)1753 577733 Fax: +1 (631) 342 6800 Fax: +44 (0)1753 825464

www.ca.com



WWW.OVUM.COM

ENTRUST:

Entrust IdentityGuard,GetAccess, & TransactionGuard


OVUM

CATALYST

The growth in demand by business users and consumers for access to systems and networks from anyavailable location at any time forces IT administrators to provide unhindered access to the intellectualproperty of their organizations, while ensuring that critical data is not compromised. The need to adhereto compliance and regulatory requirements demands further care and collectively drives therequirement for identity and access management (IAM) solutions such as Entrust’s products, whichsupport the effective management of identity, authentication, access, and business and consumerprotection.

� Entrust provides a well-rounded IAM solution that focuses on business user and consumer needsthat necessitate the effective management of user identity, risk-based authentication, and frauddetection.

� The product set provides a risk-based strong authentication platform that can be tailored to meetspecific organizational needs.

� Fraud protection for consumers is addressed by the TransactionGuard product set.

� Core markets focus on two significant verticals: government and financial services. The solution alsocaters for other industries using its extensive range of web and enterprise facilities.

KEY FINDINGS

OVUM VIEW

The IAM market is highly competitive, as one would expect from a sector that includes large IAM andinfrastructure providers such as Oracle, Sun, IBM, and CA. In response, Entrust provides an impressiveportfolio of identity-based authentication, access control, and user protection products.

The latest releases of the Entrust IdentityGuard, GetAccess, and TransactionGuard platforms providean extensive and integrated range of identity management, risk-based authentication, access control,and real-time fraud detection facilities. Their strength comes from the company’s all-round ability tobuild and deliver an integrated set of identity-driven protection solutions that are relevant to theeveryday business and operational needs of a wide-ranging group of businesses, irrespective of theirsize or location.

Entrust

Entrust IdentityGuard, GetAccess, & TransactionGuard

CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD 114455

TECHNOLOGY AUDIT

Strengths: � Makes available a wide range of cost-effective, strong authentication facilities.

� Fraud prevention facilities are available as a mainstream component of the

product set.

Weaknesses: � Provides a rich and customizable policy platform in its web access control

solution, but GetAccess lags behind in current web services standards support.

Key Facts: i Does not require additional client software to deliver end-user authentication

services.

i Entered into a merger agreement with Thoma Bravo in July 2009.

By making available a flexible range of single- and multi-factor authentication facilities, Entrust enablesorganizations to put in place appropriate authentication facilities that balance operational demandsagainst business risk and regulatory compliance requirements. Add to this the solution’s enhancedreporting and auditing capabilities, and Entrust has a well-rounded offering that enables organizationsto build an integrated identity-based approach to the management and control of user access.

Recommendations

� The Entrust IAM platform suits large enterprises in that the inherent scalability of the overall solutionenables it to deal with large and growing user communities. Traditionally government, financialservices, healthcare, and telecommunications have proven to be the company’s strongest areas ofsuccess. This is also due to the solution’s regulatory and associated industry control capabilities.

� In North America, Entrust’s direct sales force concentrates its efforts on large enterpriseopportunities. While outside North America and for small and medium enterprise (SME) sales, theseare made through partner channels, an area in which sales of its IdentityGuard product set haveenjoyed success.

� Organizations typically select Entrust due to the high quality of its integrated product set, andbecause of its good reputation for the quality of its customer support and partner services. That thecompany has a renewal rate of over 90% supports the fact that its products are based on a goodtechnology, and it ranks high in terms of thought leadership, introducing market-relevant technologyand understanding business needs.

SOLUTION OVERVIEW

Entrust IdentityGuard, Entrust GetAccess, and Entrust TransactionGuard form the core components ofthe company’s IAM technology platform.

IdentityGuard

IdentityGuard is a risk-based authentication platform that includes the ability to deliver multiple levels ofuser and server authentication, which can be tailored to meet the risk management requirements oforganizations and their various communities of information users. It uses a stateless architecture todeliver its services; therefore, load balancing and failover are easily accomplished using redundantservers.

GetAccess

GetAccess is a web-based, high-performance, functionally scalable web access control solution. Its roleinvolves the provision of centralized access management to multiple applications using a single portalapproach. The product has the capability to support SSO environments, provide access control tosystems and applications, and control entry down to authorized groups, roles, and individual users. Inaddition, it is looking to extend its influence to the federated management requirements of internal andexternal access-control relationships.

TransactionGuard

TransactionGuard is a real-time fraud detection solution consisting of three core components: RealTime Fraud Detection, FraudMart, and the Open Fraud Intelligence Network, which transparentlymonitors transactions and uses passive detection techniques to identify fraudulent activity. Theproduct uses behavioral understanding of transaction patterns and non-invasive fraud notificationmethods to deliver its protection services. Its real-time fraud detection identifies “normal” patterns ofbehavior via a rule-based approach (which helps reduce false positives) in combination with otherfactors such as the user’s location, the time of day, and function usage patterns. All these factors areindividually assessed by user-configured rules, which are used to determine a risk score. Based onthe score attained, TransactionGuard uses application logic to decide what action is appropriate (forexample, to stop a transaction based on potential fraud, or make contact with the customer to discussthe circumstances).


Combining the use of Entrust’s IdentityGuard, GetAccess and TransactionGuard products enablesorganizations to leverage full control over who gets access to corporate information, as well as dealingwith customer and citizen access to applications. It then, at a transaction level, takes into account therisk factors and requirements of all users and systems involved.

It is clear that some identity management solutions make demands on their clients that either do not fittheir individual risk profiles or do not realistically meet their security needs – either under- or over-delivering on their protection requirements. Entrust’s solution, on the other hand, appears morepragmatic, offering a more focused approach that ensures that its services and protection products areable to closely fit the needs of individual customers.

Entrust also provides an extensive range of complementary identity, access control, and user protectionproducts that can be tailored to meet the needs of organizations and their users. These include:

� Entrust Authority, Entrust’s public key infrastructure (PKI) solution, which supports the delivery ofencryption, digital signature and secure authentication services, and is offered as both a self-hostedsolution or as a service.

� Entrust Certificate Services are available to secure and increase confidence in an organization’swebsite. This is achieved by providing secure sockets layer (SSL) communications between webbrowsers and web and application servers, thereby enabling the security management of digitalcertificates, including support for Extended Validation (EV) and Unified Communication (UC)certificates, as well as Code Signing and Adobe Certified Document Service (CDS) certificates toenable trusted software and digitally signed documents.

� Entrust Entelligence Suite, which delivers a portfolio of products that provide organizations with SSLservices across multiple enterprise applications. It includes: Entelligence Security Provider (ESP), adesktop protection component; a messaging server (the company’s secure email gateway product);and Group Share, a network folder encryption product. The suite supports strong authenticationtechniques, including the use of digital signatures and encryption, and provides PKI protection fordesktop users to securely authenticate their access rights.


Figure 1: Entrust Architecture Source: Entrust

� Entrust Secure Transaction Platform, which supports the secure use of web services transactions.In the web services environment, it provides a range of authentication, authorization, digitalsignature, and encryption facilities.

� Entrust TruePass is a PKI-based web security product that provides persistent security from thebrowser through to the web server, and to back-end application servers when authenticating visitorsto a web portal. It enables users to digitally sign online transactions, and supports persistent dataencryption and digital receipts. Another of its primary roles is to increase confidence in the use ofonline transactions.

In partnership with SafeNet, Entrust distributes SafeNet iKey 2032 tokens as Entrust USB tokens, whichprovide two-factor authentication to desktops, virtual private networks (VPNs), wireless LANs and webportals for secure remote and network access. They are also designed to work with Entrust’s PKIproduct set. The company provides a range of enterprise-level, encryption-based content protectionfacilities to protect information assets as they enter and leave the organization, but is not looking toprovide a full DLP offering.

In its latest version, Entrust has enhanced its range of authentication options by providing organizations(in partnership with SafeNet) with a multi-purpose secure smartcard. This device is capable ofgenerating and storing all of a user’s personal credentials, including private keys, passwords, and digitalcertificates.

SOLUTION ANALYSIS

Authentication

In addition to the use of the various one-time password (OTP) hardware and software tokens that areavailable within the Entrust IdentityGuard solution, the range of authentication methods supported areextensive. They include:

� Grid authentication – plastic or paper cards with unique alphanumeric grids.

� Machine authentication – authentication of each user’s preregistered machine at login or duringhigh-risk transactions.

� Mobile authentication – out-of-band authentication enables software-based, one-time-passwordsto be generated on a user’s mobile device, or sent to the device using SMS, email, PDA, voice, orother supported channels. In addition, Entrust IdentityGuard Mobile provides strong authenticationfor online financial transactions, providing users with details of their transaction out-of-band andgenerating an OTP on the mobile device based on the transaction details.

� Digital certificates – leveraging existing X.509 digital certificates issued from Entrust or a third partyto authenticate users. Certificates can be stored locally or on secure devices like smart cards andUSB tokens. Organizations without an in-house PKI can obtain certificates via the Entrust ManagedServices PKI.

� Knowledge-based authentication – an approach that is supported by challenging each user toanswer preregistered questions.

� Scratch card authentication – users are supplied with unique OTP lists – each use provides OTPauthentication and is then redundant.

� IP geo-location authentication – assesses a user’s identity based on geo-location technology.

� Mutual authentication – allows end users to respond to an image and/or text that is unique to themin order to authenticate the service to the user.

Entrust also supports image and pass-phrase replay, a personalized and responsive approach in whicha user-selected image or phrase is displayed to prove that a site is valid.

Entrust’s use of soft mobile authentication tokens has significantly improved its range of authenticationservices, and its out-of-band transaction verification and SMS features are particularly relevant, giventhat man-in-the-middle and man-in-the-browser attacks are on the rise. This dynamic approach enablesorganizations to use extended and difficult-to-compromise authentication techniques.


Enterprise and web SSO

In web environments, Entrust IdentityGuard sits behind existing SSO/access control applications. Itmakes third-party authentication checks, effectively challenging the user and returning a pass or failassertion to each access request. For enterprise remote access deployments, the product normally sitsalongside an existing remote authentication dial-in user service (RADIUS) server to provide the sameassertion services.

GetAccess provides role- and rule-based service delivery approaches. When used as an integratedcomponent of an Entrust identity management strategy, it enables web SSO identity profiles to be usedacross an organization’s infrastructure and beyond where conformant third-party federated agreementsexist. This level of protected access is delivered through the integrated use of centralized provisioning,workflow, auditing, reporting, and self-service delivery facilities.

User provisioning and role management

Entrust GetAccess uses policies to enhance role-based access control (RBAC) and to restrict useraccess to portal resources based on context-sensitive granular policy controls. It also provides logginginformation, which helps organizations track and control user access and policy execution. At the sametime, Entrust IdentityGuard allows administrators to centrally access user and authenticationmanagement functions through its well-laid-out web administration interface. The interface enablesadministrators to create and assign authenticators to users, create policies based on groups and rolesas well as across all users, assign temporary pass codes, configure necessary authentication methods(as per the needs of the organization), and update user status. All of these functions can also beperformed using a web services application programming interface, which supports easy integrationwith user identity management and provisioning systems.

Password management

The ability to manage passwords comes as a standard part of the Entrust IAM product set. The offeringprovides an open range of password control facilities that can be tuned to meet an organization’s needs.The Entrust approach allows decisions on required password controls to be taken based on useraccess and information needs. Using the IdentityGuard Self-Service Server, the solution allows usersto self-enroll. It also helps administrators to manage their users effectively. This includes activities suchas self-registration (choosing a mutual authentication image, registering for either a grid or token, orboth) and self-administration tasks (unlocking a challenge response token or changing or recovering apassword). GetAccess’s session management service is also used to create, validate, and remove usersessions and provide session-tracking facilities.

The Entrust IdentityGuard Server is used to capture user activities, which, in turn, expands thesolution’s reporting capabilities. Its workflow capabilities allow customization to take place so thatorganizations can configure interlinked commands as per their process needs. For example, this couldinvolve configuring a series of commands to ensure that appropriate individuals are notified if aparticular user loses their card or token.

Access management

Authentication requests accepted during enrollment or login are managed by the Entrust identificationservice. It forwards each request to the authentication and authorization modules or supporting webservice for validation. The systems authentication modules contain specific functionality for eachparticular type of authentication request and, if a request is successful, a new session is grantedthrough the Entrust GetAccess session management service.

Entrust GetAccess delivers a range of services that effectively handle all key access managementrequirements. These include runtime services for web servers that intercept incoming requests forresources, and the GetAccess entitlements service makes use of facilities that determine and controlthe resources each user is allowed to access.

Other access management facilities supported within the GetAccess product set include login services,multi-domain services, and registry services. The system’s authentication and authorization modulesare used to support authentication methods, including user ID and password, Lightweight DirectoryAccess Protocols (LDAPs), Vasco tokens, X.509 certificates and smartcards, Microsoft .Net services,plus Entrust-specific and third-party authentication and authorization modules.


FIM

Entrust GetAccess provides SSO and single log-out across multiple applications that can reside in asingle domain, multiple domains, or in domains that are federated through Security Assertion MarkupLanguage (SAML) 1.x or 2.0. It supports integration with an organization’s web partners and affiliatesto deliver an improved and seamless end-user experience. Using its SAML capabilities, GetAccessprovides identity federation services as both an identity provider and a service provider. GetAccess iscertified for the US government’s eAuthentication initiative, and completed SAML 2.0 conformanceunder the Liberty Alliance in 2006 and again in 2009. Because of the product’s attribute sharingcapability, it is possible to validate authentication across federated or bridged PKI environments.

Entrust believes that the market is just starting to recognize the need for fully-featured federationservices and is keen to extend its portfolio to include specific identity federation capabilities in otherproducts. To achieve this objective, the company will be extending its SAML support to IdentityGuardduring 2010.

PRODUCT STRATEGY

Entrust has set its target market fairly wide for its IdentityGuard and GetAccess solutions. Theseproducts are generally targeted at medium to large enterprises that are looking to make use of a cost-effective, strong-authentication IAM solution. Additionally, IdentityGuard’s design has also allowed it tobe deployed in SMEs. The one exception to this open-market approach is TransactionGuard, which,due to the focus of its core fraud detection facilities, is primarily targeted at financial institutions.

Entrust makes great play of its products’ return on investment (ROI) capabilities. For example, EntrustIdentityGuard’s ROI, compared with other traditional two-factor authentication solutions, is positionedas a low-cost option, focusing mainly on the use of non-infrastructure-based authentication methodsthat are less expensive to acquire, deploy, and manage. The supporting and very credible argument infavor of this approach is that IdentityGuard gives customers an open choice. Entrust does not mandatestrong or weak authentication; customer organizations can make their own choices based uponstrength, usability, regulatory compliance and risk profile requirements. Other measurable savingsinclude reduced helpdesk overheads, due to the availability of self-service facilities that result in lowerlevels of password reset requests.

Entrust operates a multi-channel go to market strategy that includes direct sales in North America andsales via strategic partners in Europe and Asia. It also makes use of value-added reseller channels.

IMPLEMENTATION

Entrust positions its implementation approach as low-risk, with minimal impact on the existingoperational systems. In the main, this is due to there being no need to modify a customer’s applications.Entrust deployments typically involve product installation, configuration, fraud rule tuning, livedeployment and associated operational training. Entrust claims that its IdentityGuard, GetAccess andTransactionGuard solutions are straightforward to deploy; in particular, it claims that there is no firmneed to use specialist resources to implement the company’s solutions.

For example, Entrust IdentityGuard is positioned as straightforward to install and, in operational use,leverages and integrates with existing user repositories, such as AD, other LDAPs, or database structures.Web application integration is accomplished using simple Java calls or direct Simple Object AccessProtocol (SOAP) calls. For front-end integration requirements, such as working with remote access VPNsystems, change requirements are limited to configuration changes within associated RADIUS servers.However, Entrust also makes available the facilities of its own professional services expertise.

For any IAM vendor, putting an accurate figure on average implementation timescales is difficult, as notwo identity management projects are the same, and customer requirements range from simple tocomplex. However, across the board, Entrust products provide good platform support for a decentrange of mainstream servers, web servers and databases. Entrust can provide appropriate training forall of its products, and detailed documentation is available to back up its efforts. The company provides24/7 first- and second-line telephone support for its complete product portfolio, and makes availablecustomer extranet facilities.


Entrust is privately owned following the July 2009 decision of its stockholders to approve its mergeragreement with Thoma Bravo. As a result of the increased financial backing that the new relationshipprovides, the company’s future points toward growth through appropriate mergers and acquisitions,which will also help Entrust to remain a focused identity-based security company. Thoma Bravo is aleading private equity investment firm that has been providing equity and strategic support toexperienced management teams and building growing companies for more than 28 years.

DEPLOYMENT EXAMPLES

Bank of New Zealand

Bank of New Zealand selected Entrust’s IdentityGuard product based on its ease of use and the ability ofthe company to brand the grid card that it needed to use, and because of the significantly lower cost peruser that it was able to achieve. Deploying Entrust IdentityGuard enabled Bank of New Zealand to offerstrong authentication to all new consumer banking customers, rather than a just a subset of users. Duringthe first phase of the project, approximately 25,000 users were deployed within two weeks of the launch. Inless than nine months, the bank issued over 130,000 grid cards, which represented close to half of itscurrent online population. As a next step in the bank’s campaign against online fraud, it implementedadditional Entrust IdentityGuard capabilities, including device, knowledge-based and mutual authentication.

Banco Santander

NeoSecure SA is the first Latin-America-based Entrust partner to implement and deploy EntrustIdentityGuard. Based in Chile, NeoSecure was responsible for developing a robust authentication solutionfor Banco Santander, based on Entrust’s IdentityGuard technology. This solution has significantly increasedthe level of security for the bank’s clients, protecting online users against data breaches and identity fraudwhile conducting Internet banking transactions. Use of the IdentityGuard solution is evolving and is now alsobeing used to support authentication for the organization’s telephone banking operation. These innovativefacilities are being offered by the bank free of charge to their customers.

Xerox

Xerox operates in 160 counties with 53,700 employees worldwide. The company’s previous onlineauthentication solution made use of expensive, battery-powered tokens for roughly 20,000 members ofits workforce. Its target was to protect four times that number of employees, contractors and businesspartners (approximately 80,000 users) with a more seamless and cost-effective solution. Theorganization realized that the implementation of strong, two-factor authentication was necessary toprotect its business and users from today’s online threats. It chose the Entrust IdentityGuard grid cardauthentication solution because this simple-to-use and cost-effective solution provided a flexible andlow-cost answer that allowed Xerox to meet its extended user protection and cost-saving goals.

DnB NOR

DnB NOR is the largest financial institution in Norway. It is responsible for the protection of more than 1.7million online consumers and private and corporate banking customers. The organization wished toimplement a seamless fraud detection strategy that would not require invasive integration with its existingback-end applications. To achieve these objectives, DnB NOR is using Entrust to provide real-time frauddetection and historical analysis facilities. The use of its fraud protection tools, coupled with critical data fromthe Entrust Open Fraud Intelligence Network, is being used to help protect against online transaction fraud.The real-time protection facilities provided by Entrust also enable DnB Nor to collect data that help theorganization to identify current and future potential fraud threats before they happen.

US Bank

US Bank, a top-five commercial bank in the US, was initially looking to address fraud threats within itsonline retail banking application. It implemented Entrust’s TransactionGuard real-time fraud detectionsolution to provide visibility to all web interactions with customers. The solution allows the client tomonitor user transactions for fraudulent behavior and perform forensic analysis to determine whathappened in cases of fraud. TransactionGuard also enables the bank to define new fraud rule patternsfor automated detection. The organization quickly expanded its use of the Entrust solution to protect 28retail and business banking applications without affecting its existing banking applications, and is furtherextending its use of the solution to include strong authentication via Entrust IdentityGuard, which will betriggered by risk levels determined by TransactionGuard.


Entrust worldwide headquarters EMEA headquarters

One Lincoln Center Unit 4 Napier Court5400 LBJ Freeway First Floor, Napier RoadSuite 1340 Reading, BerkshireDallas, Texas 75240 RG1 8BWUSA UK

Tel: +1 (972) 728 0447 Tel: +44 (0)118 9533000Fax: +1 (972) 728 0440 Fax: +44 (0)118 9533001

www.entrust.com



WWW.OVUM.COM

EVIDIAN:

Evidian IAM Suite (version 8)


OVUM

CATALYST

The Evidian IAM Suite consists of a broad range of integrated and modular identity and accessmanagement (IAM) components that enable organizations to employ a controlled and coherentapproach to the management of user identity and access control policies in support of their enterpriseoperations.

� Evidian IAM is used across all business sectors. Particular focus is currently being placed ongovernment and healthcare in the public sector, and on specialist trading elements of financialservices operations.

� Systems access demands extend beyond corporate boundaries, and information needs to beshared with business partners. This is a cross-industry solution that provides a pragmatic approachto federation.

� Its key components are: role management, which defines and applies security policies; identitymanagement, which controls digital identities; and access management, which secures access tosystems and data.

� The primary market for the Evidian IAM Suite is medium- to large-enterprise organizations that arelooking for an integrated IAM approach that functions across distributed heterogeneousinfrastructures.

KEY FINDINGS

OVUM VIEW

Evidian IAM Suite (version 8) is a fully featured IAM offering. Its core components cover the key userand systems control areas of role management, identity management, and access management. Withinthe solution, Evidian adopts a workflow-driven, policy-based approach to address how its identity-centric access control facilities are delivered. It then continues to retain all elements of user and usagecontrol as the requirement extends to managing federated relationships with business partners.

Evidian

Evidian IAM Suite (version 8)

CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8) 115555

TECHNOLOGY AUDIT

Strengths: � A mature product that supports key areas of access, identity, and role

management.

� Unifies and maintains control over user access rights, irrespective of location,

while retaining the required levels of control on behalf of the business.

Weaknesses: � Market penetration away from EMEA, particularly into North America, remains

elusive.

Key Facts: i Operational platforms supported include Windows, Linux, Solaris, and IBM

Advanced Interactive Executive (AIX). HP/UX and z/OS are supported asprovisioning connectors.

The strength of the solution comes from its ability to unify and maintain centralized control over useraccess rights, while building automated delivery processes that support ease-of-access for all users, andretaining the required levels of control on behalf of the business. Central management is supported by theproduct’s ability to operate across distributed environments and efficiently deliver local services at source.

To date, many IAM projects have struggled to achieve their aims due to overly complex objectives andunrealistic goals. Whenever practical, Evidian uses a simple start-up approach that focuses on keybusiness requirements such as SSO services for the most important user groups, and then switches toa phased approach that can be extended to deliver enterprise and wider benefits.

Recommendations

� Organizations that can gain business advantages from an enterprise or even a global enforcementpolicy towards the management of users and their systems’ access rights should consider theEvidian IAM Suite. It is recommended particularly for those that operate distributed operations orsupport the access needs of remote and mobile workers.

� To date, Evidian has not provided a solution that addresses the small business market, and thisremains an area where it has little or no presence. However, things are likely to change over the nexttwo years. The company is preparing a packaged SME approach (for organizations with 500–5,000users) that will start with the release of its Ready-To-Go SSO edition of access management.

� Evidian provides an inclusive set of IAM facilities that have the control and flexibility to address theneeds of a wide range of business organizations. This makes the Evidian IAM Suite the type of userand business protection product that organizations ought to deploy and retain.

SOLUTION OVERVIEW

Evidian IAM Suite is both an integrated and modular IAM solution. The suite has three corecomponents: role management, identity management, and access management.

Role management

Role management defines, applies, and manages security policies within the IAM environment. Itsservices are aligned with the need for strong business-focused protection processes. Role managementservices are delivered using the Evidian Policy Manager and Evidian Approval Workflow products.

Evidian Policy Manager provides a single-console control approach to web and enterprise usage. Itdefines and enforces organizational security policies. Policy Manager delivers its services using theEvidian reconciliation engine to detect and report on differences between an organization’s identity andaccess policies and the actual state and access usage of its systems. The product controls theorganization’s IT security policy as it relates to system users, their roles, and their access rights. UsingEvidian Policy Manager, an employee’s usage rights depend on their role within the organization;therefore, their access permissions relate directly to real-world business roles.

Evidian Approval Workflow automates decision-making chains, from access rights approval to accountcreation. It puts in place an organized responsibility chain to deal with the lifecycle management ofidentity. Workflow processes are defined through a graphical interface using a web forms feature, andare equipped with escalation and delegation facilities triggered by predefined control parameters.


Identity management

Evidian identity management addresses the creation and maintenance needs of users and their digitalidentities. Its services are supported by Evidian’s User Provisioning and ID Synchronization products.

Evidian User Provisioning

Evidian User Provisioning enables administrators to automatically provision user accounts and theirinformation across distributed and heterogeneous environments. Once usage policies have beendefined, User Provisioning ensures that they are enforced. The product’s automated reconciliationengine checks policies against what is happening in the live environment and, where necessary, allowscorrective actions to be taken. Integration with the suite’s SSO facilities assists with the identification ofinactive or orphan accounts, and approval workflow is used to automate decision-making chains.

Evidian ID Synchronization

Evidian ID Synchronization creates a sustainable identity repository to store all identity-related data. Itsynchronizes and consolidates identity data and uses it to build an organization’s LDAP directories. Theapproach is particularly valuable to operations that work across distributed environments with multipleheterogeneous identity sources, and can also be used to create directories from scratch.


Policy Manager

Administrator

SIB

Applications

Provisioning process

Reconciliationprocess

Requests

Identityrepository

Administrator

End user

Reconciliation

Approval Workflow

UserProvisioning

Figure 1: Evidian Identity and Role

Management Architecture Source: Evidian

Access management

Evidian access management secures access to systems and applications by controlling how usersmake their connections. It delivers strong authentication, password management and access auditingservices. The Evidian products involved are Evidian Enterprise SSO, Evidian Web Access Manager,Evidian SOA Access Manager, Evidian Access Collector and Evidian Data Privacy.

Evidian Enterprise SSO

Evidian Enterprise SSO is a fully featured and scalable SSO product. Its services operate in conjunctionwith complementary security products such as multi-factor authentication tokens, smartcards, USBkeys, biometrics, and certificate-based digital signatures. Self-service enrollment facilities are included.They are delivered through a browser-based interface that enables authorized users to self-enroll,amend passwords, and reset existing credentials.

Evidian Web Access Manager

Evidian Web Access Manager is a central access control facility for web applications. It supports theuse of password, RADIUS, token, certificate, smartcard and biometric authentication. The productenables secure interoperability across federated user communities through its support for SAML-basedidentity credentials.

Evidian SOA Access Manager

Evidian SOA Access Manager delivers authentication and authorization services for multi-domainapplications operating in SOA environments. It supports the access needs of users from other domainsof the enterprise and known users from outside of the corporate perimeter, such as external customersor business partners.

Evidian Access Collector

Evidian Access Collector brings together existing access policies and user accounts. It records andstores them in an LDAP directory, and uses the data to build a complete operational picture of whichusers have access to each of the organization’s systems and which accounts are actively being usedto provide that access.

Evidian Data Privacy

Evidian Data Privacy deals with access protection at file level. It is made up of two separately licensablecomponents: Evidian Laptop Protection (for the protection of files on a PC) and Evidian File Encryption(for the protection of files exchanged between groups of users over a network).


SecurityMiddleware

Security Middleware

E-SSO AuditWAM

Mobile E-SSOStrong

Authentication

Authenticate andretrieve policies

Authenticate andretrieve policies

Perform SSO Perform SSO

Access WG dataSecureAccess

Figure 2: Evidian Access

management Architecture Source: Evidian

SOLUTION ANALYSIS

Authentication

Organizations need to be concerned about the strength and quality of the authentication components

that their IAM suppliers are able to support. Evidian controls how users are allowed to access their

computer systems and data through the use of strong authentication techniques, password

management, and authenticated usage monitoring. It uses authentication methods that are most

appropriate to organizations and their users. This can range from simple passwords, which remain

useful in the right environments, through to OTP tokens, smartcards, and biometrics on corporate PCs

with remote access connectivity and SSO requirements.


Clean access and usability are key issues for all system users. Once a user’s credentials have been

accepted and access is allowed, it is important to be able to move between applications without

hindrance, while retaining the right levels of security and access control. Evidian Enterprise SSO

provides mature and scalable SSO facilities with a proven track record. It combines ease-of-use with

the organization’s need to comply with regulatory demands and security policies. Evidian Web Access

Manager delivers the solution’s web SSO capabilities.

Provisioning and role management

Some of the most neglected areas of IAM include elements of provisioning and role management. Poor

management and lax maintenance have led to situations in which organizations have lost control over

their users. Evidian’s user provisioning and role management facilities address these issues by

controlling and automating the delivery of access rights and associated services. Its approach helps

with compliance, as access procedures are formalized and enforced from a single manageable source.

Auditors can also check that the deployed services are effective and appropriate. For the business, the

requirement involves ensuring that users are provisioned with the access facilities they need to fulfill

their operational roles, while restricting access to sensitive data. Evidian ensures that each employee’s

provisioned rights are controlled by their role within the organization, place of work and responsibilities,

so their access matches real-world roles. It also addresses the need for automated de-provisioning

services that match the organization’s access policies.

Password management

Although often talked about as the weakest link of IAM, password management remains a cornerstone

activity. The term covers anything from simple-to-discover fixed passwords through to well-structured,

frequently updated password management infrastructures, which can be fully integrated with other core

IAM components including SSO, role management and associated helpdesk services. Within Evidian

IAM, password management is supported by a relevant and responsive set of facilities that includes

strong password-based authentication techniques. Taking into account the need for good working

practices and to comply with an organization’s security policies, Evidian’s approach to password

management also recognizes the ease-of-access demands of the whole user community. Its business

continuity approach supports always-online user access demands, and even allows users who forget

their authentication tokens to be given temporary and controlled password access.

Access control

Access control manages which systems authorized users can get access to, when that access isallowed, and what they can do once they are there. For many organizations, one of most complex tasksis maintaining the right levels of control over their system users. This is an ongoing activity that has tobe properly enforced from the beginning if it is to be effective. Evidian recognizes that a common issuein IAM projects is the need to efficiently collect existing access policies and user accounts. It speeds upthe collection phase using a combination of its access management and enterprise SSO products. Useraccess is continuously analyzed and, over an appropriate time frame, Access Collector builds acomplete view of who has access to what systems and which accounts are being used. This informationforms the basis of role-based management and can be deployed. The product’s reconciliation engineis then available to maintain control over any differences between the policies in place and live usage.


FIM

As business requirements extend beyond corporate boundaries, the requirement to share informationand maintain control over who has access to that information brings with it the need for FIM. Supplychain demands for instant information access and business partner and internal inter-departmentalrequirements to collaborate on projects all require the sharing of information. Evidian provides facilitiesthat support interoperability across federated communities. It offers SAML-based identity credentialsand makes use of the product’s access management functionality to support the approach. Evidian alsotakes a very pragmatic stance on FIM. It believes there is no need for complex inter-companyintegration, and that internal and external projects that require federated collaboration should becontrolled through local arrangements.

PRODUCT STRATEGY

Evidian provides a horizontal IAM offering that is applicable to most markets. The company has anestablished presence across many industries, and is particularly strong in EMEA. However, in areassuch as North America, its products are less known. At present, Evidian is focusing its attention on twoareas in particular: government organizations, addressing public sector requirements in general andhealthcare in particular; and working with financial institutions, focusing on the provision of value-addedservices, such as authentication management, that meet the needs of trading rooms or remote branchoperations.

In addition to Evidian’s continuing efforts to sustain and grow its core markets (organizations with 5,000-100,000 users), the company is developing packaged IAM products for the SME community (500-5,000users). The first offering was launched as a Ready-To-Go SSO edition of access management, andfurther packages are expected during 2010 and 2011. Market-focused versions are also beingintroduced. An example of this is its IAM suite for healthcare, which will include workflows andprovisioning connectors specific to the healthcare environment. Further industry releases are plannedfor retail stores, regional communities, and SMEs.

The company has also seen an increase in demand for global reinforcement and management of useraccess controls in the extended enterprise, and recognizes that to achieve these objectives, it needsfully featured access management facilities. Therefore, it is providing secure web and enterprise SSOfacilities for users of core applications, regardless of their origins, which could include access requestsfrom diverse sources such as corporate PCs, cyber cafes and personal devices.

ROI is realized through enhanced security, automation, and productivity improvements, which areenabled through the use of the Evidian IAM suite. A primary ROI driver is helpdesk call rate reduction,as most helpdesk overheads involve requests for password resets. Evidian provides self-service resetfacilities, substantially reducing the need for helpdesk intervention.

The route to market for Evidian in EMEA is mainly direct or through its parent organization, Bull, forsales into the public sector or opportunities in Eastern Europe and Africa. The company also makes useof other partner channels. In North America, it has an OEM agreement with Quest Software, while inAsia its main OEM partner is NEC Computers. In addition, Microsoft frequently recommends the EvidianEnterprise Single Sign-On (ESSO) solution in EMEA. Other technology partners include Oracle,Microsoft, Gemalto, RSA, HID, Precise Biometrics, Upek, AuthenTec, and BIO-key.

Evidian’s product release strategy involves one major release and one minor release per year. Itslicensing is perpetual on a per-user basis. Contract values depend on the number of users as well asthe number of modules within the IAM stack that are being licensed. Typical entry-level projects for asmall SSO project cost about €40,000, with a 70/30 split between software and services. Average-sizedprojects, including full access management and dedicated customer deployment, cost around€400,000, with the same 70/30 split between software and services. The largest projects that deliverfull IAM deployments and have a 50/50 cost split come in at around €1m.

Evidian is a Bull Group company and was established as a corporate subsidiary in July 2000. Bull is aninternational group that specializes in designing secure IT infrastructure.


IMPLEMENTATION

IAM implementations tend to be highly technical resource-hungry operations. Timescales varydepending on project complexity and overall requirements. Evidian took these issues on board andcame up with an approach that allows simple SSO deployments to be completed in days, rather thanweeks. Taking in the bigger picture, access management deployments can be completed about 10 daysfor a pilot project, 20 days for a 30-user departmental deployment, and around 30 days for a 500-userenterprise deployment. Typical skills required will include knowledge of directories and applications. Forfull IAM projects, the average timescales increase to 20 days for a pilot project, 40 days for a 30-userdepartmental deployment and 50 days for a 500-user enterprise deployment. For full IAM deployments,the required skills are more extensive, covering directory and database skills (provisioning connectors)and web page design (workflows).

Evidian’s total customer base includes more than 600 organizations, with over 450 using its IAM productset (77 of which were new additions during 2009). To support all implementation requirements, Evidianprovides:

� A range of professional services that cover architecture and deployment approaches.

� IAM integration expertise in the key areas of strong authentication techniques, including theintegration and validation of non-standard smartcards and specifications for setting up biometric andradio-frequency identification (RFID) operations.

� Installation skills that cover high-availability set-up and clustering operations, and verification withselected directory infrastructures.

� Testing and performance-setting skills.

� Development and integration of customer-specific or third party components and procedures,including the use of custom migration tools.

A range of on- and off-site training courses are available to cover simple access management training,as well as training for global IAM projects.

Technical support for the solution is available on three levels. Standard support provides callback withina four-hour time frame and is charged at 19% of the contract price. Extended support provides callbackwithin a two-hour time frame and is charged at 28%. Personalized support is designed to fit eachcustomer organization’s specific needs (charge rates are governed by the specified requirement). Eachoffering covers product usage issues, the identification of problems and available solutions, answers tonew problems, supported release issues, and new fixes. Round-the-clock access to the company’ssupport website is also available.

Platforms supported include Microsoft Windows, Red Hat Linux, Suse Linux, Sun Solaris (versions 8,9, and 10), and IBM AIX (versions 5 and 6).

DEPLOYMENT EXAMPLES

A leading energy company with over 110,000 employees and operations in more than 130 countriesselected Evidian Enterprise SSO and Evidian Web Access Manager to simplify and secure its passwordmanagement systems and improve access to applications using secure smartcard authentication. Theaim of the project is to improve usability and security through the rigorous engagement of useridentification and strong access controls that link to validated user profiles, audits, and alarms. A furthertarget is to reduce support costs associated with the management of passwords. Successes achievedinclude 24/7 access to IT systems, scalability across international branches from an enterprise-widedeployment to 70,000 PCs, and improved security that protects access and audit information.

A leading banking services provider with over 3,000 branches and more than 9.5 million individualcustomers chose Evidian to provide its Enterprise SSO, Windows and multifactor authenticationservices, self-service password reset facilities, kiosk, mobile ESSO, and group reporting services for allits corporate, retail, and international banking activities. A further innovative “cluster mode” project iscurrently in its pilot phase in the company’s trading rooms.


A leading provider of technology solutions to the travel industry selected Evidian’s identitymanagement, user provisioning and access management products to manage and protect its Intranetand Extranet applications. It also implemented Evidian Enterprise SSO and Evidian Web AccessManager. The product set is used by over 8,500 staff across several countries, with Evidian SSOproviding transparent SSO access to all applications. The range of operational systems supportedincludes Windows, Web, Unix, Lotus Notes, and IBM mainframes via 5250 and 3270 emulation.

Bull Evidian Bull Evidian

Rue Jean Jaures Concorde HouseBP 68 Trinity Park78340 Les Clayes-sous-Bois Solihull, Birmingham France B37 7UQ, UK

Tel: +33 (0)1 30 80 70 00 Tel: +44 (0)870 2400040Fax: +33 (0)1 30 80 73 73 Fax: +44 (0)121 6355691

E-mail: [email protected]

www.evidian.com www.evidian.co.uk



WWW.OVUM.COM

HITACHI:

Hitachi-ID Portfolio


OVUM

CATALYST

Identity and access management solutions enable user access rights to corporate systems to bemanaged efficiently and securely. Hitachi’s ID portfolio has some important differentiating features:

� Hitachi has adopted a practical approach to role and group management that allows these functionsto be used only where they are helpful. It regularly reviews access rights to remove obsoleteentitlements.

� Password synchronization enables access to most applications and delivers the productivity benefitsof an SSO product without the complexity of maintaining tables of passwords for each user.

� Reduces helpdesk and administrative burden through a good range of self-service features,including interactive voice interaction.

KEY FINDINGS

OVUM VIEW

The IAM function faces a number of challenges. Most large enterprises have deployed many packagedand homegrown applications that have their own access management components (with their own roledefinition and entitlements), and possibly an overarching provisioning system.

Traditionally, access permissions are managed in a corporate LDAP directory, such as AD. Systems ofGroup Policy Objects have become very complex. Most access requests are managed using an ad hocsystem of emails to supervisors and administrators. In the absence of an easily understandable recordof entitlements, an out-of-date and insecure entitlements situation is almost inevitable. Together with theproliferation of passwords that users have to remember for the applications they use, this leads to theservice desk team being inundated with access requests and password reset requests. Over andbeyond these familiar access management and governance challenges are areas where legacytechnology has been inadequate. One such area is controlling access by users with administratorprivileges. To summarize, the typical IT organization has many IAM challenges to address, and theproblem cannot be ignored because of numerous regulations.

Hitachi

Hitachi-ID Portfolio

CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO 116655

TECHNOLOGY AUDIT

Strengths: � The password synchronization approach gives a simple and secure access

management mechanism.

� Integrates with a broad spectrum of target applications, platforms and service

desk tools.

� Automates the access certification and request management process.

Weaknesses: � Risk-based reporting of existing access rights would have been useful.

� Greater focus on defining user groups would be welcome.

Key Facts: i Provides phone- and kiosk-based self-service password reset options for lock-

out situations.

Predictably, the vendor community has come up with a number of approaches to address theseproblems. One of the approaches is SSO, which enables users to access a number of applicationsusing one set of credentials. Users authenticate to the SSO module, which stores the credentials for alltarget applications, and the SSO module authenticates the user to the target applications. A morerecent, and complementary, approach is seen in identity governance solutions that model roles andassign access rights to these roles for accessing applications (linking the business object “role” withtarget application-specific definitions). In addition, they provide workflows that automate accessrequests and access certification processes, provide the infrastructure for analyzing the existing accessrights situation, and give risk-based reporting for compliance purposes.

While these approaches go a long way toward addressing access management issues, the technologiesalso bring a new set of problems. For example, the role management capabilities within the identitygovernance solutions, while very useful, require large upfront investments in time and effort. Every IAMsolution operates using a mix of top-down (role definition based) and bottom-up (access request driven)mechanisms. Some of the current approaches to rationalizing the access management environment gofurther toward top-down strategy than most client organizations find convenient. SSO also requiresconsiderable initial investment to integrate the platforms and applications that it is required to control.

The Hitachi-ID portfolio offers solutions that are appropriate for most large enterprises. Its passwordsynchronization technology, together with its ability to integrate with most common enterpriseapplications (which enables rapid deployment), enables the user to access most applications with asingle password. In addition, access rights are largely granted through user requests for access andperiodic access reviews. Even the task of building an accurate representation of how the organizationis structured has been shifted, intelligently, to business managers. Hitachi-ID supports a hierarchicalreporting model that can be imported from some human resources tools, and allows other “dotted”reporting lines to be recorded. Supervisors regularly review their list of subordinates. The maindrawback with this model is that it does not recognize the situation in which employees report todifferent managers when performing different roles.

Hitachi also has a realistic view of how the concept of a “role” can be used to define access rights. Itallows roles to be used where several users have similar requirements, but it does not forceadministrators to define roles for users who have unique requirements. Some other tools forceadministrators into situations where they have to define more roles than they have users. Hitachi,however, allows a more ad-hoc approach that reduces the effort required to get the identitymanagement system operative. It also provides an RBAC enforcement engine that identifiesdiscrepancies between user permissions and their roles (where appropriate).

Ovum believes that Hitachi-ID’s focus on reducing the administrative and helpdesk burden and thecompany’s focus on bottom-up IAM reflects the way in which organizations operate.

Recommendations

� An organization that has a legacy or homegrown IAM system should consider the Hitachi-ID suite.Typically, this system would use application-specific links, and paper, email, and servicemanagement platform-based ad hoc processes.

� Organizations that need to satisfy regulatory compliance and where access controls are not inalignment with current accountability requirements should evaluate Hitachi-ID. One particular areaof concern that Hitachi-ID addresses well is privileged access for administrators.

� Enterprises that are facing a massive and (usually) forced review of the access managementenvironment due to a merger or acquisition event would benefit from a solution of this nature.Typically, such organizations would require an access management solution that supports keyprocesses such as provisioning, certification, and access request management at a level abstractedfrom individual applications and technologies.


� Identity Manager – this is the core identity management product. It manages profiles (the record of auser and their access rights entitlements) and propagates these entitlements and any changes to thecomponents handling provisioning and access management for the target applications. Other importantaspects of identity management, such as automating requests for changes to entitlements and accessrights reporting, are also handled by Identity Manager. Identity Manager uses the organization structurediagram to refer access requests to the appropriate business manager, rather than directing them to theIT administrator. Identity Manager also provides compliance-oriented features such as enforcingsegregation of duties rules for both business users and privileged user accounts.

� Access Certifier – this product periodically reviews the access rights of all users, and invitesapplication owners, group owners, and managers to flag inappropriate privileges for de-activation.

� Password Manager – synchronizes passwords so that a user has the same password for most ofthe corporate applications and systems (generally without agents installed on the target application).It combines the password rules from all platforms to ensure that the chosen password satisfies themall. Hitachi-ID can connect to most common enterprise applications, operating systems and networkresources. Changes to any one password can trigger a password synchronization task across allsystems, The Password Manager module also offers self-service management of other credentialsfor authentication, such as pre-defined “challenge-response” questions, hardware OTP tokens,smart cards, biometric samples (principally voice prints), and PKI certificates. The module alsoprovides self-service password resets and enforces regular password changes through emailreminders and by blocking access to applications until the password is changed.


IVR ServerLoadBalancer

SMTP orNotes Mail

HelpdeskTicketingSystem Authoritative

System ofRecord

PasswordSynchTriggerSystems

InternalUser

InternetUser

Target Systemswith local agent:OS/390, Unix,older RSA

Target Systemswith remote agent:AD, SQL, SAP, Notes, etc.

Target Systems

Firewall

Firewall

ReverseWeb Proxy

Firewall

Firewall

TCP/IP + AES

Various Protocols

Secure Native Protocol

Hitachi IDProxy Server(s)(optional)

Hitachi IDApplicationServer(s)

Figure 1: Hitachi-ID Management

suite network architecture Source: Hitachi-ID

SOLUTION OVERVIEW

The Hitachi IAM portfolio comprises two broad categories of solution, namely the user provisioning andaccess management tools, and the password management tools. Figure 1 provides an illustration ofhow Hitachi-ID’s solutions work.

� Group Manager – enables self service management and more efficient usage of AD groups. Allgroups defined within the AD can be modeled with the Group Manager module and the groupmanagers are defined for each group. Group membership requests, which are typically made whenthe user is trying to access shared network folders, are routed through this module to the AD groupowners to review and approve or reject. The Group Manager module is aimed primarily at reducingthe system administrator’s workload by resolving requests in the business context.

� Privileged Password Manager – Hitachi-ID eliminates the need for individuals to know thepasswords to privileged accounts on systems and applications. Instead, passwords to privileged IDsare randomized frequently (for example, every day) and stored in an encrypted and replicatedsecure vault. People and software agents have to log in to the managed through PrivilegedPassword Manager to get connected with administrator rights. Privileged Password Manager willnormally require them to log into it, providing strong authentication. Users can be given continuousadministrator access, or on a once-only basis. Today, Hitachi-ID logs the occurrence of all privilegedsessions but not what is done in each session. The next release will include video recordings ofthese sessions.

� Login Manager – a program installed on the user’s desktop that auto-populates dialogue boxes andforms with login IDs and passwords. The Login Manager captures the network login and passwordat the start of a user session so that they can be used to log in to other platforms and applicationsduring the session. This results in fewer login ids and passwords for the user to type.

� Org Manager – this module is used to build an organizational chart, with supervisors updating thelist of their direct reports. Dotted line relationships can be documented for horizontal reportingrelationships, but these are not used by the tool. Identity Manager can use these data to determinewho needs to authorize an access request. Access Certifier can use it to assign the task of reviewinguser access rights. All Hitachi-ID products can use these data to route change requests forauthorization and to escalate requests from non-responsive approvers to their managers. .

� Telephone Password Manager – addresses a common problem that adds considerably to thehelpdesk team’s and IT administrator’s workload. Users who forget their passwords can reset themthrough a telephony-based interactive voice response (IVR) process. The IVR workflow canauthenticate users using questions and answers captured at the time of enrollment, voice printauthentication, or a hardware token. A password reset executed through Telephone PasswordManager is processed by Password Manager, changing the password on one or more applications.

SOLUTION ANALYSIS


The Hitachi-ID portfolio includes enterprise SSO (using Login Manager) but not web SSO functionality.Instead, it provides a single password to multiple applications through a password synchronizationmechanism. The password to the user’s desktop is set as the password for all the applications the userneeds to access that are integrated with Hitachi-ID. A password change for any of the applicationstriggers a password change for all other components. Applications have varying password rules in termsof complexity and size. Hitachi-ID requires the user to give a new password that complies with all ofthese rules.

User provisioning and role management

A variety of automated and approval-driven user provisioning mechanisms is provided. Hitachi-ID reliesmore on user-requested and supervisor-requested user approaches rather than on formal roles. TheIdentity Manager module is the core solution for user provisioning. The module monitors changes tosystem records that relate to target applications, and when a change relevant to the user’s role andentitlement is detected, the information is routed to the target system, triggering an entitlement change.Such a change may also trigger an approval workflow, possibly subjected to segregation of duties policycompliance.

Provisioning access to users, changing entitlements and de-provisioning are all supported throughworkflows, and requests can be initiated by the users themselves or by supervisors (or others in positionsof authority). The request workflow systems support approval by consensus and escalation procedures.


Hitachi-ID sticks to its characteristic bottom-up focus on role definitions. The Hitachi-ID Org Managercan extract role information (reporting relationships) from existing directories and enterpriseapplications, and it enriches and updates this by sending out invitations to managers to update the listof their direct reports. The manager can identify employees who have left the organization and notifychanges in the reporting structure.

Password management

The password management capability comprises password synchronization, enforcement of passwordlength and complexity, password history management (regarding rules for re-use), enforcement ofexpiration rules (there are about 50 such rules), and self-service password resets. This can be donefrom a web browser, from the desktop login screen, or using the telephone with an IVR application. Theself-service password reset process can use strong authentication techniques such as hardwaretokens, biometric authentication and challenge-response, using questions and answers defined at thetime of enrollment. This question/answer system can accommodate inexact matches, down to the levelof “sounds like”. In addition to self-service password resets, Hitachi-ID, through its integration withhelpdesk applications, eases the process of creating a helpdesk ticket, resetting the password, andclosing the helpdesk ticket.

An important aspect of password synchronization is the reconciliation of login IDs. Reconciliationinvolves associating multiple login IDs with a single network login ID, and associating this login ID witha single individual. This is accomplished through a combination of directory look-ups to find login IDsassociated with a user and the client software Login Manager listening in for additional logins. Inaddition, a question and answer system configured at the time of enrollment, and validated at the timeof password resets, helps connect a login ID with an individual defined in an organization chart. Thishelps address the confusion that arises between employees with the same name.

As mentioned earlier in this report, the portfolio also comprises privileged password management.

Access control

Two important capabilities merit special mention; namely, access certification workflow and networkresource access management. The access certification feature enforces regular reviews of user accessrights by application owners, supervisors and group owners. The network resource accessmanagement feature allows client organizations to model AD groups and assign owners to thesegroups. When users request access to shared folders, network drives and email distribution lists, therequest is automatically routed to the group owner, taking a major part of group management off theservice desk team’s plate. In operational terms, when a user requests access to a network resourceand receives an “access denied” message, the user is prompted with information about which grouphas access to the resource. The user can then request that they be made a member of the group.

Maturity

The Hitachi-ID unit and the tools in its portfolio have a long history. The unit was founded in 1992, andthe company has an installed base of 800 client organizations and 10 million licensed users. Thecompany counts some of the largest companies in the world, such as AT&T, as its clients, and has someof the largest IAM deployment sites. The Identity Manager solution has 3.5 million lines of code and theManagement Suite is currently on version 6.1.2.

Integration and interoperability

The Hitachi-ID suite integrates with an impressive series of enterprise applications, operating systems,directories, messaging systems, server platforms and service desk/helpdesk systems. Some of thesesolutions are AD and eDirectory (and any other LDAP directory), Linux, Solaris, HP-UX and IBMproducts, ranging from Resource Access Control Facility (RACF) and AIX to Lotus Notes, Oracledatabases and applications, PeopleSoft, SAP R/3 and Business Objects, and MS Exchange. Hitachi-IDcan work with an unknown application, such as a homegrown application using custom scriptsdeveloped using an included scripting program. There are a number of approaches for providingcustom integrations (Hitachi-ID provides custom integration at fixed prices) including APIs (J2EE, .NET,COM, ActiveX, MQ Series), terminal emulation, web services, command line and Structured QueryLanguage (SQL) injections.


PRODUCT STRATEGY

Hitachi’s target market is not limited to particular vertical sectors. The Hitachi-ID portfolio is aimed atcompanies with over 10,000 employees, and the installed base ranges from 300 to 350,000 internalusers and up to 10 million external users. Client organizations are typically companies in the Fortune2000 range and non-profit and government agencies of a similar scale. In terms of the geographicaldistribution of clients, North America accounts for 80% of the installed base, while Europe and the restof the world account for 15% and 5%, respectively. Hitachi has a direct presence in the US market, whilein other geographies, the company works through partners. The company targets global organizationsthrough its managed services provider (MSP) partners. For all market segments, Hitachi partners withsystems integrators as well. The list of MSP and systems integration (SI) partners includes CSC,Capgemini, CompuCom, Dell, HP Enterprise Services (formerly EDS), Hitachi JoHo (Japan), IBMGlobal Services, Northrop Grumman, Perot Systems, Siemens Business Services, T-Systems, Wipro,and Xerox. Hitachi-ID has 43 consultants of its own around the world, while it also works with HitachiConsulting, and partners with KPMG.

Hitachi-ID products are licensed by a number of users (but not named users), and the PrivilegedPassword Manager is licensed by the number of administrator IDs. In terms of average deal sizes, thefollowing list shows a few representative deals:

� Password Manager – 10,000 users; $140,000 in deal size; 85% license, 15% services; passwordsynchronization, assisted lockouts, and mobile users.

� Password Manager and Identity Manager – 10,000 users; $500,000 in project value; 55% licenseand 45% services; auto-on boarding and deactivation, self-service user profile updates and accesschange requests.

� Privileged Password Manager – 3,000 managed IDs; $75,000 in project value; 50% license and50% services.

Support is priced at 20% of the licensing costs, and the maintenance package includes 17 hours perday (3am to 8pm, Eastern Time) and five days a week technical support via email, phone and VPN.Upgrades are bundled into the support package. In addition, client organizations can get access to 24/7emergency support for an extra 5% of licensing costs.

The release cycle comprises a maintenance release every one to three months, a minor upgrade (suchas a graphical user interface (GUI) change) every six to eight months, and a major release every 18 to24 months.

Hitachi-ID believes that growth will be driven by new technologies and trends (such as full diskencryption, smart cards and mobile workers) that are likely to increase the volume of passwordmanagement issues. The company reports that privileged password management has been a growtharea in the recent past, with every major customer implementing the technology.

The Hitachi-ID roadmap is comprehensive, and a number of interesting features are in the pipeline. Thelist of medium- and long-term development plans includes a workflow to create new and deleteunnecessary groups, periodic certification of role definitions, a workflow that asks managers to identifyclusters of direct reports who perform a similar job function, and the ability to add attributes such as riskscores to target applications. Major improvements are also on the cards for the privileged passwordmanagement module, such as full session recording (currently only the entry and exit time arerecorded). Hitachi is working to bolster its role management capability, and enhance its passwordmanagement module.

IMPLEMENTATION

As would be expected for an identity management suite, implementation requires significant resources, butHitachi has simplified the task; for example, by removing the requirement for a comprehensive role model.The following list details a few representative implementation cases and their resource requirements:

� Password Manager to reset and synchronize passwords across 10 systems for 50,000 users: 20 billabledays and eight weeks of elapsed time, 0.5 resources for one to two months, and 0.25 ongoing.


� Identity Manager to auto-provision and auto-deactivate users on AD, Exchange, RACF and one ortwo enterprise applications, based on an HR data feed across 100 locations, 50 departments and50,000 users: 60 billable days, 16 weeks of elapsed time, and one resource for six months, and 0.5ongoing.

� Privileged Password Manager to randomize and control disclosure of privileged passwords across1,000 Unix, Linux, Windows and Oracle servers and 10,000 workstations: 20 billable days and sixweeks of elapsed time; one resource for three months, and 0.5 resource ongoing.

� Group Manager to push management of membership in AD groups out of the realm of IT supportand into the self-service regime across one global AD domain, 10,000 users, 5,000 groups, 500 fileservers, and 2,000 shares: 15 billable days and four weeks of elapsed time, one resource forbetween one and two months, and 0.25 ongoing.

� Access Certifier to invite managers to periodically review a list of their subordinates and their accessrights, and flag old entitlements for cleanup across one AD domain, one SAP production system andone RACF production system. No roles were defined, organizational chart data were available butincomplete and inaccurate; 10,000 users/1,000 managers: 60 billable days and 20 weeks of elapsedtime; one resource for six months, and 0.75 ongoing

Hitachi-ID runs on Windows Server 2003 and 2008. The products in the Hitachi-ID portfolio integratewith a wide range of systems and applications. CA SiteMinder, IBM Tivoli IAM, Oracle AM, RSA AccessManager in the web SSO category, SAP, Oracle and Business Objects in the enterprise applicationsand business intelligence category, and z/OS and iSeries are some of the applications and platformsthat have not already been mentioned in this Technology Audit.

DEPLOYMENT EXAMPLES

ATCO

ATCO (a construction and industrial conglomerate) deployed Hitachi-ID products for auto-provisioning,auto-deprovisioning, security group management, entitlement cleanup, password synchronization andpassword resets for about 11,000 users. The project spanned multiple phases beginning with passwordmanagement, and moved onto a staged implementation of consolidated security administration,automation for on-boarding and deactivating users, and a self-service workflow for profile updates andentitlement change requests. The entire project took about a year.

Wells Fargo

Wells Fargo bank implemented self-service password resets and routine password management forabout 350,000 users, involving access to AD, many target applications, and login screens. The projecttook less than three months, and according to Hitachi-ID, reduced IT support costs by $4m.

Intel

Intel implemented privileged password management for 3,000 production systems (Windows, Linux,VMware and SQL). The project took two to three weeks and the client organization successfullyimplemented automated access rights changes resulting from systems administrator staff turnover.

Hitachi-ID Systems, Inc.

500, 1401 – 1st Street SECalgary, AlbertaCanada, T2G 2J3

Tel: +1 (403) 233 0740Fax: +1 (972) 767 4404

Email: www.hitachi-id.com



WWW.OVUM.COM

IBM:

IBM Tivoli Identity and AccessManagement Products


OVUM

CATALYST

IBM is a major player in the identity and access management (IAM) field, marketing its products underthe Tivoli brand. The products’ main strengths are their breadth of functionality and the close integrationof IBM security and service-management products. Going forward, users can be confident of supportfor extending IAM controls into the cloud. The products can be deployed individually or as a suite, butusers adopting all or most of the suite will benefit most. IBM applies some of the benefits of the robustmainframe environment to the open systems environment. The products benefit from IBM’s strongposition in the system-management domain.

� There is close integration of IBM’s security products across IAM, security information and eventmonitoring (SIEM), and DLP domains.

� Mainframe users are supported with an integrated suite of products.

KEY FINDINGS

OVUM VIEW

Through its Tivoli division, IBM has a long presence in the identity management sector, and has equallywell-established credentials in systems management. More recently, IBM has acquired several ITsecurity vendors, including ISS, and specialist vendors, such as Consul Risk Management, Watchfire,Encentuate, Ounce Labs, Guardium and BigFix. IBM therefore has an impressive range of securitytechnologies and managed services to match its historical strengths in security consulting. In its high-level vision, it has been able to address the inherent synergy between security management, systemsmanagement, governance and compliance in a way that the more specialist vendors have not.However, this level of integration is not always evident at the product-implementation level.

Within the IAM sector, IBM provides comprehensive functionality addressing all the “bases” across themap of required functionality. The global enterprise trend towards the rationalization of IT suppliersworks to the advantage of the large IT infrastructure vendors. IBM is the most prominent player inenterprise IT and has the most to gain from this rationalization. It has assembled a range of productsacross the security range of products to put it in a position to benefit from this movement.

IBM

IBM Tivoli Identity and Access Management Products

CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS 117755

TECHNOLOGY AUDIT

Strengths: � Strong compliance-reporting features.

� A broad suite of products providing comprehensive functionality.

� Closed feedback loop for monitoring and acting on access and policy usage.

Weaknesses: � IBM is still in the process of integrating some of its acquisitions.

Key Facts: i Supports a wide range of standards.

i Policies can be tested using “what-if” simulation exercises across all products.

Recommendations

� Organizations with heterogeneous computing platforms, including mainframes – the breadthof capabilities and functionality in the IBM suite of products make it an attractive and natural choicefor these organizations.

� Organizations that have a strategic vision for integrated IAM – these organizations will findIBM’s strategic Service Management Platform approach helpful for meeting security and ITgovernance objectives.

� Other organizations with more than 500 employees – the choice of identity management suite isnot so clear-cut for this group of organizations, and they should examine the detailed functions andfeatures of the candidate products. Ease of deployment should take precedence over the productprice, because identity and access management systems need to be configured to their operatingenvironment and integrated with the business applications they control. IBM Tivoli Identity Manager,IBM Tivoli Federated Identity Manager Business Gateway, and IBM Tivoli Access Manager for ESSOare suitable choices for the SME sector.

SOLUTION OVERVIEW

IBM places IAM within its IBM Security Framework, which itself forms part of the IBM ServiceManagement Platform that addresses the need for visibility, control, and automation across enterpriseIT platforms. It addresses security governance, risk management and compliance across the realms ofpeople, information, applications, processes, IT infrastructure and physical infrastructure. Within thisoverall scope, identity management addresses requirements relating to people and identity, as well asapplications and processes.

IBM has simplified its portfolio to deliver integrated capabilities, as described in the IBM SecurityFramework, into consumable packages or bundles. The IBM Security Framework, along with the IBMsecurity products and packages, are shown in Figure 1. One of the key bundles is the Identity and AccessAssurance bundle, which contains the foundational IAM products to help on-board and off-board users.


IBM Security Solutions Packages Include

Identity Manager

Security Policy Manager

zSecure Admin

Directory Server

Key Lifecycle Manager

zSecure Audit

Directory Integrator

Access Manager for Operating Systems

zSecure Command Verifier

Federated Identity Manager

Federated Identity Manager

Security Info. & Event Manager for z/OS Auditing

Access Manager for eBusiness

Security Information and Event Manager

Access Manager for Enterprise SSOAccess Manager for Operating SystemsSecurity Information and Event Manager

IdentityandAccessAssurance

Data andApplicationSecurity

SecurityManagementfor z/OS

IBM Security Framework

SECURITY GOVERNANCE, RISKMANAGEMENT AND COMPLIANCE

PEOPLE AND IDENTITY

DATA AND INFORMATION

APPLICATION AND PROCESS

NETWORK, SERVER & END POINT

PHYSICAL INFRASTRUCTURE

Common Policy, Event Handling and Reporting

ManagedServices

Hardware& Software

ProfessionalServices

Figure 1: IBM Security Framework and products Source: IBM

IBM’s Identity and Access Management Governance portfolio (see Figure 2) provides policy-drivengovernance to streamline and strengthen security for the foundational IBM IAM capabilities. Itcomprises:

� Planning the policy and role-modeling framework – this provides tools for role-modeling andmanagement, and the support of policy design.

� Tracking – this involves the monitoring of user activity. IBM Tivoli Security Information and EventManager provides unified reporting and auditing, feedback about policies and roles, and compliancereporting.

� Enforcing through identity, access and entitlement management – IBM Tivoli Identity Manager,IBM Tivoli Privileged Identity Manager Service, IBM Tivoli Access Manager for e-business and IBMTivoli Security Policy Manager provide access certification, remediation of user access rights,privileged identity management, coarse-grained access and fine-grained, context-based, entitlementenforcement.


IBM’s IAM Governance Portfolio in 2010

Planning Policy and Role Modeling

Role Modeling Assistant

Policy Design Tool

IBM Tivoli Security Informationand Event Manager

IBM Tivoli Identity Manager

IBM Tivoli Privileged IdentityManager Service

IBM Tivoli Security Policy Manager

IBM Tivoli Access Manager foreBusiness

IBM Tivoli Federated Identity Manager

PolicyDriven

Governance

ProcessIntegration

User Activity Monitoring

Identity Management

Access & EntitlementManagement

Tracking

Enforcing

Figure 2: IBM’s IAM Governance

Portfolio Source: IBM

These products and services are supported by some foundation products, so the IAM suite is largerthan the components shown in Figure 2.

The main products in the IAM area are:

� IBM Tivoli Directory Server (TDS), a scalable, standards-based identity data repository thatinteroperates with a broad range of operating systems and applications. This directory server isincluded within IBM IAM solutions to support large scale deployments.

� IBM Tivoli Directory Integrator (TDI), which can serve as a meta-directory or data-integration tool,synchronizing or transforming identity information and other security information in real time acrossrelevant organizational sources. This directory integrator solution is included within IBM’s IAMsolutions to support integration in a heterogeneous IT environment.

� IBM Tivoli Identity Manager (TIM), which provides identity management and provisioning relating tomany types of logical assets (for example, databases and applications), network infrastructure (forexample, Cisco ACS), and access-control systems, including those that are card-operated forbuilding access. It enables integration with a broad range of heterogeneous systems across multipletypes of platform. TIM has been improved with usability and interface enhancements to help withrapid deployment and operation, making the solution more accessible and adoptable by the SMEmarket.

� IBM Tivoli Access Manager for Operating Systems (TAMOS) handles authentication andauthorization and controls administrator (root user) access to Linux and Unix systems.

� IBM Tivoli Access Manager for Enterprise Single Sign-On (TAMESSO) provides desktop SSO forenterprise applications (usually termed Enterprise SSO), built-in integration with numerous strongauthentication form factors, and many common applications (as well as extensibility to furtherapplications via a drag and drop visual profiling interface), and session management for shareddesktops.

� IBM Tivoli Access Manager for e-business (TAMeb), which provides a reverse-proxy-basedauthentication and authorization hub manages, and enforces user access to applications hosted onthe web. It is primarily focused on web-based applications SSO and provides out-of-the-boxintegration for Web 2.0 applications and web services. It can be implemented in varying forms, fromsimple web SSO to more complex application security infrastructure deployments.

� IBM Tivoli Federated Identity Manager (TFIM) provides the framework to support standards-based,federated identity interactions between partners, with capabilities in the areas of federated webSSO, web services security management, and federated provisioning. It comes with TAMeb for full-featured, standards-based web access management systems, and has been enhanced with moresupport for user-centric federation deployments using SAML and OpenID attributes. It is designedto simplify trust-based identity integration across Java, .NET, and mainframe applications andservices.

� IBM Tivoli Federated Identity Manager Business Gateway (TFIM BG), which provides federatedaccess SSO using SAML protocols. It integrates with existing on-premise application and webaccess management systems to control access to cloud software as a service (SaaS) and third partyexternal applications.

� IBM Tivoli Privileged Identity Management service, which handles the lifecycle management ofshared accounts and SSO for privileged IDs across systems and applications. It is a service basedon TIM and TAMESSO. It ties administrator accounts to pools of authorized users, and providesSSO with the administrator credentials into the user session when the user needs to accessprivileged resources, while enforcing check in and check out of these credentials to maintainindividual accountability.

� IBM Tivoli Security Policy Manager (TSPM), which provides entitlements and message securitypolicy management for composite applications and services, centrally managed roles relating toapplications, message protection policies and data-level access entitlements. It comes with securityrun-time services for standards-based policy decision integration with the existing IT and applicationenvironment, and provides out-of-the-box policy enforcement integration for WebSphere Portal,Microsoft SharePoint, WebSphere, Application Server, .NET, Filenet, and DB2 applications.

� IBM Tivoli Security Information and Event Manager (TSIEM), which provides the reporting andauditing capabilities relating to the operation of the identity management infrastructure. TSIEMcloses the loop for IAM by monitoring the usage of the configured policies, identifying violations forremediation, and reporting for compliance purposes.

� IBM Tivoli zSecure Suite, which delivers audit and administrative capabilities for mainframe security,including management of user credentials, access rights, monitoring and compliance. It is also afoundation of IBM’s Enterprise Security Hub and integrates with mainframe security protocols suchas RACF, and with the mainframe editions of other IBM security products such as TIM for z/OS andTFIM for z/OS.


Tivoli offers mainframe versions of several IAM products. These are TIM, TAMeb, TFIM running onzLinux, TIM for z/OS, TFIM for z/OS, TDS for z/OS and TDI for z/OS. Tivoli zSecure Admin enhancesuser management in the mainframe domain, including z/OS, z/VM and Unix System Services.

SOLUTION ANALYSIS

Authentication

The Tivoli suite provides comprehensive coverage for strong authentication. Web authentication ishandled by TAMeb and TFIM, while desktop authentication is handled by TAMESSO.

TAMeb provides facilities to allow multiple levels and custom authentication mechanisms to be addedto those it already supports. Authentication assertions can be communicated over hypertext transferprotocol (HTTP), which makes it easier for organizations to integrate with external authenticationservices. A limited-use license for TDI is included with TAMeb, providing options such as directory-chaining for user authentication. A session management facility enables user sessions to be trackedacross enforcement points. This provides administrative benefits, such as a single point from which toreport on and manage user sessions, and the easier enablement of policy enforcement, which traversesany routes the user might have taken to access resources.

TAMESSO supports smart cards, biometrics, and passive and active RFID cards. An interface for openauthentication devices simplifies integration with other authentication devices that may not besupported out of the box.


The IBM Tivoli Unified Single Sign On solution addresses the access needs of enterprises inside,outside and between organizations. It comprises three parts:

� Enterprise SSO performed by TAMESSO.

� Web SSO performed by TAMeb.

� Federated SSO performed by TFIM.

IBM’s enterprise SSO capability is based on its acquisition of Encentuate in March 2008. It providesconnections to common enterprise applications. There is also a help wizard with a drag-and-drop userinterface to auto-generate SSO support for other enterprise applications. It can be integrated withseveral strong authentication products. It provides centralized auditing and reporting of user access tothe applications under its control across the enterprise.

TAMeb provides a single view of user access across a broad set of business applications, ranging fromemail to enterprise resource planning (ERP) systems. It seamlessly integrates into a Microsoft .NETinfrastructure and works with AD. It minimizes the changes to the .NET applications that are requiredto allow them to participate in web SSO. There is some anti-fraud support provided in the browser tosupport web application security. A bundling with Tivoli Common Reporting provides built-in reportauthoring, report distribution and report scheduling capabilities. It also offers configurable admindomains, improved session management services and support for non-standard IP load-balancers.

TFIM extends TAMeb to support federation standards such as SAML to easily federate access to othercompatible systems. The chapter on FIM gives more detail about this product.

User provisioning

IBM TIM provides a group management capability to streamline user administration, as well as a role-hierarchy model to simplify user provisioning and improve the visibility of user access permissions thathave been granted. Operational role management is now a fundamental embedded capability in TIM.An individual can have multiple roles, users can inherit roles and they can be given ad hoc additionalprivileges outside of the role structure. TIM can prevent and detect conflicts between role andpermission allocations. Roles can be imported from a directory. TIM’s access certification capabilityallows organizations to automate the periodic recertification of user, account, and role access to complywith policy.


IBM’s Role Modeling Assistant tool is provided to assist in the building of roles. It works in both top-downand bottom-up modes. The bottom-up mechanism imports existing identity, role and entitlement data,while the top-down mechanism imports interview data. These are analyzed and compared to producea set of roles for approval, editing and certification. The final definitions can then be exported into TIM.

Password management

TIM provides self-service capabilities for password resetting and synchronization across platforms andapplications. TAMESSO also handles password management from the desktop and integratesseamlessly with TIM.

FIM

TFIM has been improved to make it more user-centric. A large number of users can be enrolled into theTAMeb LDAP using FIM, from which they can be authenticated to all the applications they need toaccess. FIM also gives users a choice of identity selectors, such as the Higgins Framework andMicrosoft CardSpace, to support user-asserted identity, instead of the traditional enterprise issuedidentities. It supports both SAML and OpenID attributes, and works with all generations of SAML,Kerberos, and RACF PassTicket tokens. It is designed to integrate with Java, .NET and mainframeapplications. The Kerberos token module extends integration into the .NET environment. It reports intoTivoli Compliance Insight Manager.

IBM’s federation mechanism also gives access to internal and external services including SaaS,platform as a service (PaaS) and infrastructure as a service (IaaS) cloud services. It can supply theseservices with SAML tokens, OpenID user IDs, and passwords as required.

Privileged identity management

The Tivoli Privileged Identity Management solution comprises TIM and TAMESSO. TIM provides thelifecycle management of shared and privileged IDs, from provisioning, through access request andapproval workflow support to access recertification and de-provisioning. TAMESSO facilitatesadministrators who need access to a system with shared or privileged IDs by automatically checkingout a shared ID, providing single sign on, and automatically checking in the ID for reuse on applicationlog out. This automatic check in and check out not only simplifies usage and automates compliance,but also improves security as the administrators no longer need to know the passwords to theseprivileged IDs.

Administration and policy management

TSIEM monitors user activity via a dashboard view including privileged user activity on databases,applications, servers and mainframes. TSIEM manages logs to produce compliance reports and issue

alerts about possible policy violations. It can collect information from thousands of event sources and is

now available on a Windows 64-bit platform to enhance its scalability. Its interface is available in Chinese,Japanese, Korean, French, German, Italian, Spanish, Polish, Hungarian, Russian and English.

TAMeb, TAMOS and TFIM provide common administration management that allows authenticationpolicies to be defined and administered in a delegated hierarchical fashion. It provides out-of-the-boxintegration for enterprise applications, Web 2.0 and web services use. It works across data centers.

TSPM provides a centralized security policy management interface to author and transform securitypolicies for message security and fine-grained entitlements. It deals with policies formulated in business

terms, such as specifying a manager’s authorization limit for transactions without the need to involve IT

professionals, or use business services carrying personally identifiable information that needs to beencrypted and signed. These security policies are expressed using roles, rules and attributes that abusiness understands before being transformed into effective policies and communicated with the

enforcement points using Extensible Access Control Markup Language (XACML) and WS-

SecurityPolicy. It provides out-of-the-box policy enforcement integration with WebSphere Portal,Microsoft SharePoint, WebSphere Application Server, .NET, Filenet, and DB2 applications. It also

enables SOA governance with integration into WebSphere Service Repository, WebSphere DataPowerSOA Appliances, WebSphere Message Broker, and third-party enterprise service buses (ESBs).


A standalone Eclipse-based policy design tool is offered to help application architects modelentitlements using roles and simulate ‘what if’ scenarios, including checking for potential “separation ofduties” violations, before creating policy templates for use in deployment.

IBM TIM provides reports of user access rights to assist with auditing.

TSIEM monitors for privileged-user activity. The combination of SIEM with IAM provides visibility,auditor-centered reporting and a closed-loop compliance lifecycle.

PRODUCT STRATEGY

IAM is an integral part of IBM’s governance and security product set. In particular, it allows webapplication security, XML security, network security and the DLP product to discriminate betweendifferent users with different information access rights. It uses the SIEM products to provide audit andalerting requirements.

Identity and access management products are typically used by larger organizations. However, IBMtakes its products to companies in the 500–1,000 employees range, with its improvements in usabilityand ease of deployment. It offers bundles of IAM and related products, including companies at thesmaller end of the spectrum.

IBM has more than 4,000 IAM customers and some robust service capabilities.

IMPLEMENTATION

TDS is built on the DB2 database engine to deliver high performance, but DB2 expertise is not requiredto deploy it. TDS is an Open Group LDAP v3 certified directory, and adheres to industry standards tomaximize application support. It has a number of features that increase administrator usability. Forexample, search results can be sorted and viewed as “pages”, and groups can be nested or “dynamic”,where changes in a defined variable can automatically update the group profile. TDI is for organizationsthat require integration of identity data from various repositories throughout the organization, and itincorporates virtual directory capabilities. TDI can implement very large complex integrations supportinghundreds of simultaneous synchronizations with enterprise-strength fault tolerance. The product has adevelopment environment in which a drag-and-drop GUI allows for the customer definition of integrationrequirements.

In some customer deployments, TIM supports a user base of more than 1.5 million across thousandsof managed systems. TIM provides a wide range of identity management features, including:

� Web-based self-service interfaces with customizable look and feel for end users (for example,password reset and synchronization), which have been extended to include request and approvalfor users’ membership of roles.

� A role-based administration model for the delegation of administrative privileges, with preventivechecks for the separation of duty violations and exceptions.

� A workflow engine for automated submission and approval of user requests.

� A provisioning engine to automate the implementation of administrative requests.

� Policy simulation allowing the modeling of security policy changes, including what-if scenarios, andthe reporting of issues such as conflicting roles so that these can be resolved.

� Business-friendly revalidation (sometimes called access certification or attestation) of granular useraccess rights.

� Administration management features such as streamlined notification, bulk “to-do” itemsmanagement, and task ownership and delegation.

� Broad out-of-the-box integration support for disparate applications and systems, and universalconnectors for extending the management model to new and custom environments.

� Predefined reports on security policy, access rights, and audit events.


TIM is a J2EE application that provides an extensive range of APIs to provide extensibility and usesIBM standard middleware as a basis for scalability, performance, and reliability. TDI is used as the basisfor adapters and connectors that manage user accounts on the systems managed by TIM. Mostadapters operate either without remote management or are locally controlled, and all communicationacross platforms is secured using SSL protocols. Policies can be configured in TIM using a script basedon JavaScript, and can be made subject to a preview of their impact. Drag-and-drop workflowdefinitions in TIM allow integration with other applications and workflow technology.

IBM’s acquisition of Encentuate provided desktop SSO for enterprise applications, enabling the end-user experience to be simpler by eliminating the need to recall multiple usernames and passwords. Itcan also improve security by reducing poor end-user password behavior, and by providing easieradoption of strong authentication form factors such as smart cards or biometrics, for which it providesout-of-the-box integration.

TAMeb manages web application security and enforces access control audit policy throughenforcement points that can be placed as a reverse proxy in front of web applications, or throughauthorization and authentication plug-ins directly into a web server or application server environment.It can support over 100 million users and securing thousands of applications. It can also be used tocontrol wired and wireless access based on identity to applications and data. It integrates with webapplications and servers to provide seamless access to applications and data across the extendedenterprise, and to transactions with citizens, partners, customers, suppliers and employees.

The user’s browser-based request for a resource is dealt with by a resource manager component ofTAMeb called WebSEAL, a reverse proxy that is resident on the web server and responsible for applyingsecurity policy to resources. This policy enforcer component directs the request to the authorizationservice for evaluation and, based on the result, allows or denies access to the protected resources.Access Manager authorization decisions are transferred using the TAM credential, which contains a userID, its group memberships, and selected user attributes. The resource manager also integrates withsecurity token services to implement standards-based identity integration into back-end applications.

TFIM manages a large number of external users’ access to an organization’s portal and applicationassets using existing identities (such as username) and federated identity formats (such as OpenID andinformation card selectors, like Microsoft Windows CardSpace), without having to manage theseidentities within the organization. There is extended integration with Microsoft .NET environmentsthrough a Kerberos token module, and with mainframe environments through RACF PassTicket token-based access. It also provides implementations of the SAML, Liberty Identity Federation Framework(ID-FF), WS-Federation, WS-Provisioning, and WS-Trust specifications for federated SSO and webservices identity mediation. A single TFIM deployment can act in different roles concurrently; forexample, identity provider and service provider. In the web services security space, TFIM provides asecure token service (STS), as defined by the WS-Trust specification, as well as several modules forinvoking the STS from IBM’s WebSphere Application Server, third-party ESBs and WebSphereDataPower SOA appliances. WS-Trust provides security token validation and mediation, user identitymapping, and partner key management services to web service endpoints that implement the WS-Security standard. The federated provisioning components of TFIM provide an implementation of theWS-Provisioning specification. TFIM is a J2EE application architected using a services model that runson IBM’s WebSphere Application Server and also leverages TDS and Tivoli Access Manager for userauthentication, session management and access enforcement.

IBM’s Identity Management products use TSIEM as a common integration point for auditing andlogging. TSIEM is also used in a similar way by other products to provide a broader audit andcompliance perspective.

Tivoli zSecure Suite is the centerpiece of a number of identity- and security-related capabilities thatserve mainframe users. These include IBM Tivoli zSecure Admin and IBM Tivoli zSecure Visual, bothof which enable complex mainframe security mechanisms to be administered more easily than by usingnative management systems. IBM provides editions of many of its identity management products thatconnect to the mainframe (TFIM, TDS and TDI can run on z/OS or zLinux, while TIM and TAMeb canrun on zLinux), allowing central administrators to connect to the mainframe for routine enterprise-wideadministration.


Customer implementations typically rely on a mix of home-grown expertise and services resources fromeither systems integrators or IBM. General knowledge of installing middleware, and expertise aroundsecurity or audit and compliance is helpful in tailoring implementations to specific needs.Implementation times vary widely because of the different types of environment and complexity levels,but solution deployments typically take a number of months. As policy definition takes up a significantportion of the time spent on deployment, customers with an already-defined security policy will usuallybenefit from reduced timescales for their implementation program.

IBM offers training in various delivery formats on all of the products, as well as an extensive range ofonline resources such as datasheets, product documentation and Redbooks.

DEPLOYMENT EXAMPLES

Public sector broadcaster

A large public service broadcaster wanted to centralize its security management and services to replacea legacy identity management system and enable SOA. It adopted TSPM, TIM, TFIM (including TAMeb)and Tivoli Compliance Insight Manager. The out-of-the-box provisioning and access managementintegration support of the IBM products, along with standards-based support for SOA environments,were important factors in the customer’s decision.

Global electrical equipment company

A worldwide electrical equipment company with 5,000 employees wanted to improve its user accessand authorization management to satisfy compliance requirements. It particularly wanted to deactivateaccess for former employees and for business partners that no longer worked for it. It deployed IBMIAM (managed identity service), Tivoli Unified Single Sign-on (comprising enterprise, web and federatedSSO) and TIM. This provided a bundled solution for SSO, federation and access provisioning. IBM’sservices support was crucial to its winning the deal, because it was able to offer a fully managedenvironment including design, implementation and ongoing management support. IBM charged a fixedmonthly amount for managing changing identity needs.

Fortune 100 company

A Fortune 100 company operating in 30 countries with more than 7,000 systems and one million useraccounts was experiencing difficulty in maintaining its user access rights, particularly deactivating theaccounts of users whose employment had been terminated. It had thousands of “orphaned” serviceaccounts with no documented authorization, and had no centralized view of user entitlements. Its costswere high because it required 40 full-time equivalent staff to perform provisioning manually. It deployedIBM IAM (managed identity service) and TIM. This provided a centralized view and ongoing certificationof entitlement data, it eliminated orphaned accounts, and significantly decreased operational supportcosts for user provisioning and helpdesk calls relating to password resets.

IBM North America IBM (United Kingdom) Ltd.

590 Madison Avenue P.O. Box 41New York North HarbourNY 10022 Portsmouth, PO6 3AUUSA UK

Tel: +1 (800) 426 4968 Tel: +44 (0)1475 898073

Email: [email protected] Email: [email protected]

www.ibm.com/tivoli



WWW.OVUM.COM

MICROSOFT:

Microsoft Forefront IdentityManager 2010 and AssociatedProducts


OVUM

CATALYST

Microsoft is a mainstream competitor in the identity and access management (IAM) space. Microsofthas a distinctive profile, and has significantly enhanced its offerings under the Forefront brand withForefront Identity Manager (FIM) 2010 and its associated products, which build upon the foundationprovided by AD and Microsoft’s thought leadership in the conceptual area of online identity. The offeringis tightly integrated with key elements of the Microsoft infrastructure such as Outlook and SharePoint,allowing administrative work in areas such as user-group definition to be leveraged. With its portfolio ofIAM products, Microsoft has strong capabilities in areas such as integrating internal and externalidentities, and extending corporate identity infrastructure into cloud services and partner networks.

� Microsoft promotes identity management as an extension of the Windows and Office environment.

� The architecture of the suite is unique. While most of the expected identity management functionalityexists within the Microsoft portfolio, it is not where users who are familiar with competing productswould expect to find it.

KEY FINDINGS

OVUM VIEW

While no identity management system deployment can be categorized as cheap or easy, organizationsthat are Windows-centric will find FIM 2010 and its associated products to be an attractive option.Microsoft’s approach builds on tools that the organization already uses and configuration data that existin the corporate AD. The recent advances in FIM show Microsoft’s commitment to identity management,while its moves to embrace industry standards and its visionary work on the Identity Ecosystem showthat it has awareness of wider business needs beyond the Microsoft ecosystem.

Microsoft

Microsoft Forefront Identity Manager 2010 and Associated

Products

CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS 118877

TECHNOLOGY AUDIT

Strengths: � Microsoft’s view of identity management embraces services on the Internet.

� Many components of the portfolio are available through ubiquitous Microsoft

products such as Windows, Office, .NET, AD or Office.

� Microsoft supports application developers in delivering access management.

Weaknesses: � This offering requires an environment that is predominantly built on Microsoft

products.

Key Facts: i Microsoft now embraces all major standards in IAM.

Recommendations

� Organizations with a commitment to Microsoft in the data center will find the company’s offerings anatural progression into IAM.

� Organizations that have concerns about maintaining strong access controls as they move into thecloud will be reassured by the level of investment that Microsoft has made in meeting thisrequirement.

� Organizations that need to enroll large numbers of external (non-employee) users into their IAMsystem will find that Microsoft’s perspective resonates with their requirements.

SOLUTION OVERVIEW

Microsoft offers integrated identity management across heterogeneous systems and groups, includingIT professionals, end users and developers. Its offering is characterized by its deep integration withfamiliar Microsoft products; for example, it uses AD as its foundation, and provides user-self-servicecapabilities through the Office and SharePoint interfaces. It also uses workflow that is embedded inexisting products such as the Outlook client.

Microsoft’s complete IAM offering is delivered through the following products and services:

� Forefront Identity Manager (FIM) 2010.

� Windows Server AD Federation Services (AD FS) 2.0

� Windows Identity Foundation (on .NET 3.5).

� Windows Azure AppFabric Access Control 1.0.

� Forefront Unified Access Gateway (UAG) 2010.

� Windows Server AD Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)2008 R2.

� Windows Server AD Certificate Services.

� CardSpace 1.0.

Microsoft’s approach to identity management is built on the concepts of its Identity Metasystem, whichis formulated to provide an “identity layer” that is missing from the Internet. “Claims” are transmitted asdigitally signed tokens, conveying one or more of the subject’s identifiable attributes, asserted by theperson or organization that has signed the token. When logging in to a business system, the requiredclaims would typically be the name and affiliation of the user. The tokens could use the Kerberos orSAML formats, which are transmitted using the WS-* protocols.

The relationship between the components is shown in the architecture diagram in Figure 1.

Windows Server AD provides the Identity Management Platform, which enables the integration of thevarious aspects of IAM.

FIM provides a web service API and facilities for delegation, workflow and connectors. It lets userscreate workflows that model business processes, and then attach them to requests. A complianceauditor can use this workflow as documentation of the approval process. Workflows that are built onWindows Workflow Foundation can be used in FIM. New activities, including approval and notification,can be defined on Windows Workflow Foundation within Microsoft Visual Studio. The FIM API alsoprovides extensible activities, workflow and schema. FIM can be accessed through several clients,including an Internet portal and Outlook.

Microsoft’s customers benefit from having an identity management infrastructure that reuses thefamiliar products and interfaces in their existing Windows and Office products. Kerberos can be usedto synchronize identity information across environments, and also across partner organizations. The ADaccount is used directly for log-in to Windows computers, to authenticate sign-in to Microsoftapplications, and to provide SSO to other platforms and applications that support Kerberos, certificatesor LDAP bind for user authentication. FIM allows users to reset their passwords from a lockedworkstation through a self-service dialogue.


Microsoft has started to build a range of cloud identity infrastructure services and components. AzureAppFabric Access Control helps organizations to build federated authorization into their applicationsand services, without the complicated programming usually required to implement application controlbeyond corporate boundaries. The service provides applications with a front-end that performs theauthentication and claims transformation, and interacts with the application using the WS-Trust andOpen Authentication (OATH) protocols. The application then has only to process the claims in thesemessages.


Figure 1: Microsoft Identity and

the Cloud Source: Microsoft

SOLUTION ANALYSIS


Microsoft’s FIM manages the lifecycle of passwords and certificate-based credentials such as smartcards. It also distributes soft OTPs for credential enrollment.

The company has also developed CardSpace, which as well as being a secure technology forauthenticating personal identity on the Internet, can also be used in the corporate identity managementfield. It is useful for providing access to the systems of partner organizations, and could be used foremployee access, particularly from remote locations. It allows users to assert claims relating to theiridentity that are backed-up by an identity provider with a recognized level of assurance. CardSpaceprovides the identity selector interface. In the corporate context, their employer could provide them withsuch an identity, which would by definition provide the same level of assurance as an internal identityin the corporate directory. In the same way that it could be used within the organization that issued it,the identity could be used to authenticate the user to a business partner. It is implemented as a .NETcomponent of the Windows client or Server operating systems, and is hardened against spoofing ortampering. The client’s user interface can also be secured with two-factor authentication if required.


Active Directory Federation Services (ADFS) 2.0 provides easy access to applications both on-premise andin the cloud using a claims-based infrastructure. It provides an SSO experience for end-users looking toaccess applications in the enterprise, in the cloud, and in partner organizations. It is based on industry-standard protocols including WS-* and SAML, and enables heterogeneous applications to interoperate.ADFS federates with ADFS in other organizations, as well as with platforms from other vendors.

User provisioning

User provisioning is based on FIM Set management, which controls provisioning to connected Microsoftsystems, as well as to third party systems. Groups are managed in AD (the authoritative corporate sourceof identity information) and visualized through Outlook and SharePoint.

While FIM does not extend AD’s core functionality, it provides services to synchronize identities betweenAD and other identity sources, databases and systems, including those on non-Microsoft platforms.

FIM can provision PKI certificates, and OTP systems. It works with Microsoft’s Certificate Authority andthird-party CAs to deliver certificates for users. It can also issue soft OTPs for credential issuance.

Password management

FIM adheres to the password policy that is enforced by AD. It provides a self-service password reset facilitybased on personal information that the user chooses to provide for this purpose when they initially registerwith it (users select a range of personal questions that they want to use from a menu, and register theanswers to these). Before resetting their password, the user has to supply correct answers to a subset ofthese questions that FIM selects at random.

Access control

UAG provides comprehensive and secure access to corporate resources for employees, partners andvendors, using both managed and unmanaged PCs and mobile devices. It connects devices to thecorporate infrastructure using a range of protocols ranging from SSL VPN to Direct Access. UAG providescentralized management of the enterprise’s anywhere-access offering, using built-in configurations andpolicies. It monitors the “state of health” of the end-user devices and, using the identity of the end user andinformation about the application that they are trying to access, it is able to enforce granular access controls.

Windows Identity Foundation is a component of .NET that provides the infrastructure for the identity andaccess control products. It is a developer framework for building claims-aware applications.

Windows Server ADs underpin the operation of the products by maintaining policy and identity information.

FIM

AD FS 2.0 helps collaboration across organizations. It is fully integrated with AD authentication services andcan use any information held in AD for the purposes of issuing tokens. Azure’s AppFabric Access Controlservice enables more flexible and extensible identity federation between services to be established. AD FSfederates to both other AD FS and all the major third party environments.

Administration and policy management

FIM manages identity-based policies across Windows and heterogeneous environments. It provides self-service capabilities for Office end users, administrative tools and enhanced automation for IT professionals,and .NET- and WS-*-based extensibility for developers. Administrators can enforce adherence tocentralized access management policies for applications.

PRODUCT STRATEGY

Microsoft is alert to the needs of organizations, and so is providing a unified approach across resourceslocated in the enterprise and in the cloud. It is working to make it easier for organizations to move into thecloud and to use hybrid configurations. This strategy is based on its FIM technology. FIM can alreadyprovision and synchronize on-premise directories and cloud services, and Microsoft will expand this rangeof capabilities and add new cloud services following the model of Azure AppFabric Access Control.


Microsoft’s general long-term objectives are to empower business owners and information workers tobe the decision makers in the identity and access field, to advance capabilities for managing identityand access for hosted IT services and hybrid scenarios, and to support compliance and the need forend-to-end identity management. Microsoft is investing heavily in standards and interoperability.

The products described in this report have replaced Microsoft’s Internet Access Gateway, IdentityLifecycle Manager, and earlier versions of products with the same names.

MARKET OPPORTUNITY

Microsoft’s integration of enterprise and web access controls is consistent with its long-establishedculture of embracing the Internet, and places it in a good position for developing its identitymanagement market. It will also benefit as identity management adoption moves down into moremedium-sized businesses, where Microsoft is in a strong position.


Microsoft sells to all market sectors, to all types and sizes of organization, and in all geographic regions.It also uses all types of partner channel to reach its customers, and has educated, certified and trainedthousands of partners in using its Identity and Access (IDA) solutions. Microsoft works mainly throughvalue-added resellers to reach the smallest companies (those with less than 50 employees), while itsown direct sales organization focuses on the mid-market and enterprise sectors.

FIM is most likely to be adopted by organizations with a strong process-oriented culture, with most FIMdeployments in organizations of at least 500 employees.

Its primary global system integrator partners are Avanade, Accenture, HP (EDS), Wipro, Unisys, OxfordComputing, Quest, Globeteam, Securitay, and Microsoft Services.

FIM deployments require a significant services input. This is in line with other IAM projects, asintegration between the business and the technology is the crucial requirement for success.

The diversity of the Microsoft Identity Management portfolio’s component parts is reflected in theirdifferent sales models:

� FIM and Forefront UAG are sold with perpetual licenses on a “per user” and “per server” basis.

� AD FS and AD Domain Services and AD CS are part of Windows Server 2008.

� CardSpace is part of Windows Client.

� AppFabric Access Control, a software-as-a-service offering that is part of Azure, is sold bytransaction.

� Windows Identity Foundation is part of .NET and is available as a free download.

IMPLEMENTATION

FIM requires Windows Server 2008 on a 64-bit platform, SQL Server and .NET.

Management agents and connectors link to remote systems on Linux, Unix and mainframe platforms,and APIs are provided for communication with application databases on these platforms. Microsoftprovides 19 of these agents out-of-the-box for Microsoft (such as Exchange or SQL Server) and non-Microsoft (such as Lotus, Oracle or SAP) environments, while its partners provide other connectors.These use various protocols, including LDAP. Where no other form of interconnection is possible, theconnectors simply export a text file. Partners such as Identity Forge provide connectors for RACF, ACF2and Top Secret mainframe services, which synchronize identities across platforms but do not shareauthentication or provide SSO.

Microsoft is adopting a services-based approach to access control for external services. FIM currentlyworks with hosted SharePoint and hosted Exchange services, while ADFS and Live can federate toAzure. In future private clouds with Azure, clients and Microsoft applications will be covered, as it willbe able to communicate with other applications that support OATH and SAML protocols.


The Azure AppFabric Access Control services can link to cloud services using non-Microsoft technologysuch as Amazon or the Gmail identity service. ADFS can also authenticate directly to Salesforce.comand other services, but has to be configured for each service individually. Organizations wanting moregeneral integration with external services are better advised to use AppFabric Access Control Service,as this provides many-to-many integration.

DEPLOYMENT EXAMPLES

Microsoft IT

Microsoft IT provides application development resources and technical support to Microsoft’s 90,000employees worldwide. It promotes employee productivity and collaboration, while maintaining thehighest level of information security. Microsoft IT has deployed FIM 2010 to streamline identitymanagement, save costs, and improve user productivity.

Microsoft IT is a large organization, with 208,000 user accounts, 472,000 security and distributiongroups and 2,300 distinct corporate applications. It faces increasing requirements for systeminteroperability and compliance complexity, as well as pressure to be more efficient. Before moving toFIM 2010, it adopted a bespoke group management application to support centralized group policyauthoring and provide limited self-service for group management. However, this was costly to maintain,and did not meet the needs of users. Microsoft wanted a better solution, as well as to remove the heavyworkload of handling password reset requests manually.

Microsoft IT had also deployed the company’s Identity Lifecycle Manager 2007 product from itsinception, but decided to upgrade to FIM and extend its coverage to include the additional requirementsit faced. It worked with the product development team for FIM 2010, specifying development prioritiesand enabling rigorous field testing of the product in a production environment. The joint target was tomigrate 50,000 users and 75,000 groups to FIM 2010 by January 2010. During the transition process,while the old and new infrastructures were running in parallel, Microsoft IT used AD Domain Servicesto create separate organizational units for the two applications and to define a discrete set ofpermissions for each. This allowed employees to view groups in both applications, while applyingchanges to only one location. Employees are now able to reset their own passwords and provision theirown smart cards, although Microsoft IT recognizes that it will not be able to handle all such requestsautomatically; for example, when an employee forgets their registered answers to the challenge-response questions.

Microsoft IT is using the extensibility of FIM 2010 to customize it to Microsoft’s unique business rules.It has suggested the following guidelines to enterprises deploying the software:

� Define business rules and requirements before beginning the upgrade.

� Determine the best approach to migrating groups: phased or simultaneous.

� Start with a pilot deployment.

� Minimize re-synchronization of the rule base between new and old systems (if applicable) byconfiguring rule changes ahead of the deployment.

Microsoft IT has experienced substantial savings and efficiency improvements due to the automatedpassword reset capability, and simplified compliance reporting through the centralized policy-basedmanagement. It can now audit all identities, credentials and resources, along with business rules andevents, from a centralized repository.

Scott Wilson

Scott Wilson is a global construction company that provides strategic consultancy and professionalservices. It is headquartered in the UK, but has 80 locations around the world and 6,000 employees. Itwanted to unify its IT systems and make all of its key IT services available to employees through itsintranet portal. While previously it had separate AD services for its UK and international operations, thecompany wanted to improve its user provisioning process.


Scott Wilson engaged the Oxford Computer Group, a Microsoft-Gold-certified partner, to handle theimplementation of Microsoft FIM 2010. It started by integrating the UK human resources and financesystems, the corporate portal and the two AD systems. This allowed users to be enrolled just once,instead of three times, and provided a single and accurate view of employee identities and access rightsacross the business. The next phase of the project is to introduce workflows to automate routineprovisioning and resource management tasks globally. Users will be able to set up accounts and resetpasswords themselves, saving money and giving faster access to services. The system will beintegrated with Microsoft Outlook 2010 to send an automated email message to a line manager so thatthey can authorize or reject provisioning requests with a single click. Scott Wilson is already benefittingfrom reduced help desk costs, and from reduced waiting times for employees needing access toresources.

Microsoft Corporation Microsoft Limited

One Microsoft Way Thames Valley ParkRedmond ReadingWA 98052-6399 RG6 1WGUSA UK

Tel: +1 (800) 642 7676 Tel: +44 (0)844 8002400

Email: via Microsoft Support website Email: via Microsoft Support website

www.microsoft.com www.microsoft.com/uk



WWW.OVUM.COM

NOVELL:

Novell Identity Manager 4Advanced Edition


OVUM

CATALYST

Good people, effective processes and efficient performance are the core components required toachieve strong operational results. However, in isolation, they are not enough, and organizationsincreasingly require intelligent management systems to maintain control over who can access theirsystems and information resources across enterprise, virtual, and cloud-based environments. Effectiveidentity management is the key to organizing access, and solutions such as Novell Identity Manager 4Advanced Edition are needed to control enterprise access, reduce the risk of exposing sensitive data,and helping to maintain compliance.

� This is an enterprise-class identity and access management (IAM) product that has the scalabilityand high availability required to deal with large, complex and diverse operating environments.

� Novell’s approach of bringing together IAM and compliance to provide a foundation for enterprise ITgovernance, risk, and compliance (GRC) is a strategy that will find favor across most industry verticals.

� The requirement for organizations to manage identity and user access across physical, virtual, andcloud environments is fully addressed by Identity Manager 4.

KEY FINDINGS

OVUM VIEW

The latest release of Novell Identity Manager (r4) uses identity to deliver intelligent user authenticationand access control, user protection, and compliance across physical, virtual, and cloud environments.Intelligent, Cloud-ready and secure is the message that Novell is promoting. In Ovum’s opinion thefocus on delivering identity-management services that are able to operate across mixed environmentsis well timed, and bringing together IAM and enterprise compliance is a good strategy.

The simplification of identity management is another key message that Novell is keen to promote. Itmakes the valid point that some of the company’s major competitors still struggle to deliver integratedSSO, provisioning and role management because of the disconnected nature of the IAM tools that theyhave acquired and have to work with. By contrast, Novell Identity Manager has been built as ahomegrown configuration-centric product that eliminates most external coding requirements.

Novell

Novell Identity Manager 4 Advanced Edition

CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION 119977

TECHNOLOGY AUDIT

Strengths: � Allows organizations to be open and agile without compromising security or control.

� Integrates and automates secure access for customers, partners and employees.

� Maintains past and present visibility of people, their actions and company

compliance.

Weaknesses: � The Advanced Edition separates sophisticated operational usage from the more

basic Standard Edition demands, but does allow customers the right to beselective.

Key Facts: i An enterprise solution that supports policy-driven access control to applications

from data center operations to the cloud.

Included with the product set are tools such as Novell Designer, which allows customers to connectenterprise systems and configure workflows into the live environment using a business-focused drag-and-drop interface. The drag-and-drop approach also extends to provisioning and role-mapping forthird-party roles and permissions to create a consolidated roles database.

In the immediate future, the IAM sector is unlikely to get away from its perceived position of being over-complex and providing technology that organizations only deploy across areas of the business wherecost and complexity overheads can be fully justified. Novell is working hard to reduce total cost,complexity, and management effort, and is succeeding on a number of levels. That notwithstanding,each new technology wave adds extra user protection requirements, and Novell’s enterprise-levelproduct-development efforts will need to be sustained if it is to maintain its position.

Recommendations

� Organizations that are looking to protect enterprise, virtual, and cloud operations would benefit fromconsidering Novell’s cloud and enterprise-ready IAM offering.

� Novell IAM caters for all market sectors. Its products have particular relevance to highly regulatedindustries such as financial services and healthcare. These are also areas where the IAM need islikely to strengthen as stronger GRC requirements are introduced.

� For company size, Novell’s market is medium-to-large enterprise (5,000 or more employees).Smaller organizations in specific highly regulated industries can also benefit, but generally the SMEsector is not a target.

SOLUTION OVERVIEW

Novell Identity Manager is an established and mature IAM product set. All major product componentswere built in-house by Novell developers and are fully integrated to the extent that the complete solutionworks seamlessly alongside enterprise business systems to protect user and operational access.


Mobile WebtopYour Portal/

Web Services/Custom

BusinessManagers

CISO Compliance/Auditor

Employees Customers/Partners/

ContractorsDevelopers and

Consultants

Key Functional Capabilities

Major Components

ApplicationsDirectories

OS andFile Systems

Help Desk

Telephone andBuilding Access

DatabasesCloud and SaaS

Credentialing

White Pages/Self-Service/Pwd Mgmt

BusinessResourceRequest

Approval Work-flow

Role-basedUser Mgmt/Deleg Admin

Advanced Reporting

and Metrics

Role andPolicy

Mapping

ComplianceContent

Real-time DataIntegrity

RBACModel

IdentityVault

Work-flowSystem

HistoricalReporting

Warehouse

Open APIs Deploymentand Mgmt

Tools

Connectors

Figure 1: Novell Identity Manager – A logical

view of Novell’s event-based approach to IAM Source: Novell

Identity Manager 4 Advanced Edition supports all the core elements of identity management includingdirectory management, provisioning, role management, SSO, password management andauthentication. It also provides the opportunity to integrate with complementary Novell products suchas Novell Access Manager for web and enterprise access management and Novell Sentinel for SIEM,regulatory compliance, and analytical and audit-level reporting.

What differentiates Novell from most of its competitors is its event-based architecture. Thisdifferentiation carries over into the latest Identity Manager 4 release, which is based on an event-drivenautomated data-integration engine. This means that even in large enterprise organizations withthousands of users and distributed applications, and with constant changes that can be triggered by asingle event, real-time provisioning ensures the immediate propagation of role changes throughout theorganization, thereby maintaining accuracy and supporting compliance.

Many of the company’s 5,000 or so IAM customers run integrated and sophisticated businessoperations. They rely on Novell to tightly control who has access to their data systems, when thataccess is allowed, and what data usage rights that access gives. In line with the issues that Novellcustomers have highlighted as being important to them, the company has maintained, and in somecases added, new facilities to the Advanced Edition of its latest release. These include:

� Real-time identity synchronization and password management (also in the Standard Edition).

� Rules, roles, and workflow-based optimal provisioning.

� Integrated policy management for business rules and workflow.

� Provisioning to SaaS applications such as Google Apps and Salesforce.com (also in the StandardEdition).

� Reporting on user access at the present time (also in the Standard Edition).

� Extended reporting on historic user access using activity reports.

� A tool for integrating permissions (for various siloed applications) to enterprise roles without the needfor coding.

The new Advanced Edition facilities are mainly targeted at enterprise operations where business andIT have developed identity management requirements that are sophisticated in their event-basedprocess demands and extensive in their reporting requirements.

An example of this would be an enterprise model where access controls are linked to compliancerequirements, and provisioning services are controlled by business roles and their permissions, and aconstantly up-to-date directory infrastructure.

Within the Novell IAM model, administrators take responsibility for role management and mapping sothat provisioning and de-provisioning services have a direct connection to business roles. Thisapproach also helps to ensure that new starters’ access rights are added based on their role in theorganization, and leavers can be accurately and completely removed based on their known accessrights. Novell’s role-mapping administrator facility uses a drag-and-drop interface to map third-partyroles and permissions to Novell Identity Manager. It uses this approach to create a consolidatedgoverning roles database where policy management is made simpler through the use of pre-built hot-pluggable policy packages that are set up to meet customer and industry requirements.

Reporting facilities within Identity Manager 4 have also been extended to include facilities that store acomplete range of history records that can be used to provide audit-level information on current andprevious usage patterns when building user-activity reports.

The overall product set provides a scalable, bi-directional, open platform, and data and event-drivensolution. It enables Novell to significantly reduce the complexity of provisioning workflow and role-basedaccess control to satisfy the complex and in-depth identity management requirements of its customers.To support cloud-level deployments, Novell Identity Manager 4 provides enterprise-class administrationand scalability, as well as greater connectivity to SaaS-based applications. By ensuring that there is nosingle point of failure, Novell delivers a highly scalable high-availability IAM product set.


SOLUTION ANALYSIS

Authentication

Novell SecureLogin provides client-based authentication and SSO services. The technology originatesfrom ActivIdentity, with Novell acquiring the rights to the code in 2009, which is unusual because it is theonly component of the Novell Identity Manager product set that was not developed in-house. Novell doesprovide a number of integrated value-added facilities, including its scalable and fault-tolerant identity-vaultapplication for storing user-authentication credentials, a strong authentication framework for certificate,smartcard, token and biometric management, and a common auditing and administration framework.

This component of the Novell Identity Management product set consists of multiple integrated securitysystems that provide authentication and SSO to networks and applications. It delivers a single point ofentry to corporate resources, and is delivered using the organization’s chosen authentication securitycontrols, all of which can be aligned with corporate regulatory compliance and security policyrequirements. A key advantage of combining core-user authentication and SSO services comes fromthe ability to eliminate the need for multiple passwords.


The delivery of enterprise SSO forms a core component of the Novell SecureLogin solution. Web SSOis delivered using a proxy-based approach as a component of Novell Access Manager, and providesweb SSO, web access management, and identity federation facilities. It includes standard and strongauthentication, authorization and personalization facilities, and can also utilize data-encryption facilitiesto ensure that data are properly protected. Novell Web Access Management features strong federationcapabilities, which help when organizations are looking to move to cloud-based services, and alsoaddresses a number of challenges for SharePoint users.

The product provides simplified yet secure access to resources for customers, citizens, business partners,and employees. Importantly, it also delivers native support for Microsoft AD and Oracle/Sun directoryservers, which enables the product to be deployed in any standard identity management environment.


Identity Manager ApprovalWorkflow Engine

Access Manager

Events triggeringWorkflow

Workflow triggeringEvents

Active WorkflowRepository

RemediationTriggers

EventCollection

Other

DirectoryEmail

Database

Application

Identity ManagerData Integration Engines

ReplicatedIdentity Vault

Publisher and SubscriberChange Events

Sentinel

Figure 2: Novell Identity Manager – A logical

view of Novell’s event-based approach to IAM Source: Novell

Provisioning and role management

Novell prides itself on being one of the few IAM vendors to have developed its own integrated identitymanagement solution in-house rather than via acquisition. This includes all directory services, user-provisioning, role-management, and access management components.

Novell also provides configuration-centric provisioning and role-management technology that virtuallyeliminates the need for additional coding. Using Novell Designer, an eclipse-based product, allowsbusiness analysts to connect enterprise systems and configure workflows using a non-technical drag-and-drop interface. Completed configurations can be deployed directly into production environments.Its role-mapping administrator tool operates using the same business-focused approach for mappingthird-party roles and permissions to Novell Identity Manager roles, to create a consolidatedinfrastructure.

Provisioning and role management is delivered using browser-based web application facilities. Theyprovide a business-focused approach to the provisioning environment while exposing workflow-basedprovisioning services, delegated administration facilities and end-user self-service tasks. The facilitiesallow users to reset passwords, request access to systems or applications, claim and approve or denypending actions, and navigate the company’s organizational chart. In Ovum’s opinion, the overallapproach provides a simplified event-based method of provisioning and role management that reducesthe complexity of provisioning workflow and role-based access control.

Password management

In the Novell IAM product set, password-management facilities are used to support the enforcement ofcentralized password policies, to generate and distribute new passwords, and to automate the detectionof and response to password change events. Novell password management supports various types ofpassword approaches, including traditional password and prompt facilities, challenge and responseapproaches, self-service password-recovery and reset services, and integration with Novell SSOfacilities.

User dashboards are available to provide a web environment for user self-service. They support aworkflow-based approach to requests for access to password provisioning resources and rolemanagement. Dashboards are also used to maintain user profiles and to access white pages,organizational chart information and associated password management functions.

Access control

Access controls within Novell Identity Manager reduce the risk of exposing sensitive data tounauthorized personnel by using control facilities that are intended to ensure that only authorized usersare allowed access. In addition, through the provisioning of appropriate role-based entitlements toconnected systems, Novell Identity Manager facilitates the consistent enforcement of these accesscontrols throughout the environment. The product’s advanced reporting and monitoring facilities provideinformation about the actions of users, how their access rights are being used, and the activities theyperform. Novell offers monitoring and reporting services that work with and maintain both current andhistorical information resources. This approach introduces the ability to take into account current andpast information and provide intelligence-led reporting.

The primary roles of access control are to manage and restrict access to information systems andnetworks to the right people at the right time, to streamline the delivery of security and regulatorycompliance efforts, and through its automated services, to cut back on compliance-related costs. Itachieves this by using operational intelligence to understanding when the state of identities and theroles and entitlements associated with them change in the enterprise. From this position of strength,accurate decisions can be made about who is given access to which systems and extending theinformation provided to cover issues such as why and how critical information resources are used.

PRODUCT STRATEGY

Novell is a leading provider of security management solutions. Its IAM products are used across allmarket sectors, particularly in areas such as financial services, healthcare and the government sector,all of which have to maintain strong compliance commitments.


The drivers for IAM continue to be regulatory compliance and the fear of unauthorized users gaining accessto an organization’s intellectual property. New and updated regulations continue to emerge and because ofthis, the need remains for more inclusive governing mechanisms based on identity management.

To address these ongoing needs, organizations require agile IAM systems that can quickly andefficiently respond to policy and operational changes to ensure that day-to-day operations remainproperly protected under all circumstances. Novell believes that these requirements play well with itscurrent approach to identity management, which includes its simplified policy management services andits increased focus on delivering and proving compliance.

Another important issue that Novell is proactively addressing with its latest IAM strategy is the ability tosupport mixed operating environments, including enterprise cloud adoption, which is beginning to moverapidly from board-level discussions to operational reality. Cloud usage constraints rightly includeconcerns about data controls and security. Because of this and because mixed operational strategiesthat include traditional servers, virtual machines and the cloud have to maintain consistent levels ofsecurity and control, Novell has taken a strong IAM position on cloud services. It has extended itsenterprise policies to SaaS applications and is focusing on the delivery of highly secure cloud services.Its approach also includes increased support for hosted and MSP identity services that have thepotential to deliver Novell IAM services to the SME market.

Key trading and implementation partners include:

� Global system integrators – ACS, Atos Origin, CSC, Deloitte, Harris IT, Infosys, KPMG, TATAConsulting Services, Unisys, Verizon Business and Wipro.

� Solution providers/consultants (American markets) – Beacon, Brighton Consulting, Centrinet,CGA, Compugen, Concensus Consulting, Crescent Enterprise Solutions, Eclipsecurity, EST Group,Great Northern Consulting Hub City Media, Identity Automation, Identropy, IDMworks, Ilantus, KIS,Mycroft, Novacoast, Pivot Point Security, Simeio Solutions, Stage 7 Software Systems, Tenet, TriVir,Victrix and Vigilant.

� Solution providers/consultants (Asia Pacific markets) – Directory Concepts, Microware Limited,NCS, SecureWorx, Senetas, Tecala and Xynapse.

� Solution providers/consultants (EMEA markets) – ADVNET, Atheos, Business Connexion,B2Lateral, Cambridge Technology Partners S.A., Deron, Didas, Engineering Group, G+H Netzwerk-Design, IDFocus, IT Quality, Maintainet, NetFlex, Network Solutions, Prolink, Pulsen, UbushaTechnologies and Value Team.

Novell supports three product-licensing options: perpetual licensing, a subscription approach, and a hostedsoftware agreement model. All include a common approach to discounting, which is tiered by volume.

Novell has a clear development roadmap in place for IAM. Four broad themes are addressed:

� Simplification, which will involve making Novell products easier to consume. The approach issupported by Novell’s intention to make its IAM products multi-tenant-friendly and therefore moreattractive to managed service providers.

� Content, which will focus on providing greater out-of-the-box business relevance, particularly in thearea of compliance.

� Packaging, which will include adapting Novell IAM capabilities to forms that are more suited tocurrent and future enterprise usage.

� Supporting services, for the company’s Intelligent Workload Management strategy, which will delivernew administration and management capabilities.


IMPLEMENTATION

Organizations primarily deploy Novell Identity Manager to automate manual processes or to replacehomegrown and/or failing first-generation provisioning and compliance-management solutions. Theimplementation resources required vary by project, but are defined by project size and core identitymanagement and business logic issues. Under normal circumstances, the number of users does notmake a significant difference other than during the migration phase, where there might be datapopulation requirements. Overall project timescales can also vary and be reduced if undertaken usingprofessional services from Novell Consulting or a certified partner.

Novell provides three support options:

� Standard Maintenance delivers 12-hour, five-day access to support services during the heaviestbusiness hours. US support services are 6am to 6pm Mountain Time, EMEA support is 8am to 8pmCentral European Time, and Asia Pacific support is 7am to 7pm local time.

� Priority Maintenance delivers 24/7 support with a four-hour response time, and a one-hour responsetime for severity one issues.

� Premium Service provides a single engineer-led point of contact for all support queries. Nominatedengineers understand the customer’s technical environment and are required to respond toproblems within one hour.

Novell offers a wide range of product-training services, and technical-enablement training andcertification courses. For Novell Identity Manager 4 Advanced Edition, it recommends as a minimum thefree technical overview and introduction course. There are also Identity Manager upgrade courses, twoadministration training courses and self-study kits with exam-based certification, and advanced coursesaimed at systems integrators, consultants and IT engineers.

DEPLOYMENT EXAMPLES

Vodacom SA

Vodacom SA is South Africa’s leading cellular telecommunications provider. It supports thecommunications requirements of more than 30 million customers across 40 African countries. Thecompany’s range of services cover wireless broadband, Internet services, enterprise solutions, VPNand supporting infrastructure services. Vodacom selected Novell’s user-provisioning technology toprovide user-lifecycle and risk-management facilities for its 30 million external users and to delivertraditional role-based provisioning and SSO start-up services for its 5,000 call-center agents. Afterintegrating Novell’s user-provisioning services with its own IT stack to provide workflow, portals, servicecatalogue and configuration management, the company now uses Novell to manage customer andaccount access to its range of business services.

GaVI

GaVI is a European provider of health management services. It employs about 500 staff and has beena Novell customer since 2006, using its identity management solutions to manage the IT infrastructurefor more than 34 insurance companies. With between five and 10 million user seats in permanent use,GaVI has deployed Novell’s identity management technology for company-wide use to control accessto all legacy applications and to support its role management processes. Federated usage of the Novellproduct set also provides access to SAP, PeopleSoft, and Oracle applications, and it uses NovellSentinel for compliance management and central reporting, and for reviewing its corporate securitystatus.


Western & Southern

Western & Southern is a Fortune 500 company that provides life insurance, annuities, mutual funds andinvestment management through its member companies. The company is one of the 10 highest-ratedlife insurance groups in the world according to Standard & Poor’s, and has assets in excess of $42billion. As the foundation of its identity management platform, Western & Southern uses Novell IdentityManager to automatically synchronize user identity information across multiple systems includingNovell eDirectory, Microsoft AD and Microsoft Exchange. Novell Access Governance Suite includes twocomponents that help Western & Southern to meet new compliance requirements: Novell RolesLifecycle Manager simplifies access control based on user roles; and Novell Compliance CertificationManager automates the monitoring, reporting, and remediation of access privileges.

Uvex

Uvex is a global leader in the manufacture of personal safety and protection equipment, and one of thefastest growing companies in Germany. Its subgroup, Uvex Sports, also manufactures protectiveequipment for skiing, cycling and motocross. Uvex uses Novell Identity Manager to synchronize identitydata for approximately 1,600 user accounts across key business systems such as SAP ERP, LotusNotes and Cisco Call Manager, along with and other self-service applications. With Novell IdentityManager automatically reflecting changes across all connected systems, Uvex no longer needs to editmultiple user directories to maintain users. While simplifying and accelerating the creation andmanagement of user accounts, Novell Identity Manager also reduces human error by eliminating theneed to re-key information into multiple systems. It also increases security by immediately removingaccess rights to all systems for employees who leave the organization.

Interroll

Interroll is a manufacturer of motorized rollers, belt drives and conveyor modules for handling, storageand automation. The company has grown internationally, and now employs more than 1,300 people inover 30 countries. Interroll evaluated several possible solutions before choosing Novell IdentityManager. The initial implementation of Novell Identity Manager involved its integration with Novell OpenEnterprise Server, Novell ZENworks and the cloud-based Microsoft BPOS and Citrix solutions. Therequirement was to achieve automatic synchronization of all user directories. Using Novell, when a useraccount is created, edited or deactivated, the new information flows through all these systems,eliminating the need for administrators to make the same changes to each system.

Novell corporate headquarters Novell UK office

404 Wyman Novell HouseSuite 500 1 Arlington SquareWaltham Downshire Way, BracknellMA 02451 Berkshire, RG12 1WAUSA UK

Tel: +1 (781) 464 8000 Tel: +44 (0)1344 724000Fax: +1 (781) 464 8100 Fax: +44 (0)1344 724001


www.novell.com



WWW.OVUM.COM

ORACLE:

Oracle Identity and AccessManagement Suite – Release 11g


OVUM

CATALYST

Oracle Identity and Access Management Suite is a comprehensive suite of products that covers all themain areas of identity management functionality, and is now one of the leading products in the sector.It comprises an integrated suite of products that can be deployed either standalone or collectively. Itsposition in the market builds on Oracle’s strong business applications. Identity and access management(IAM) is a fundamental component for the delivery of both security and compliance, and is alsoimportant in raising the productivity of workers in large and medium-sized organizations.

� Oracle’s suite of products has benefited from a series of acquisitions, including Oracle’s recentacquisition of Sun Microsystems’ products.

� The trend for enterprises to rationalize their IT suppliers has boosted Oracle’s products in the IAMarea.

KEY FINDINGS

OVUM VIEW

Oracle has a comprehensive and well-integrated suite of IAM products that offers good value for moneywhen compared with other competitive offerings on the market. It has been enhanced by Oracle’srecent acquisitions of Bharosa, Bridgestream, BEA Systems and Sun Microsystems. These have builtout the core capabilities of the suite to the point where it now compares favorably with its majorcompetitors in terms of breadth of coverage.

IAM is one of the most fundamental components of enterprise IT infrastructure. The effort required todeploy it matches the role it plays. It has to be deeply integrated with business applications andprocesses and with employee roles and organizational structures, and it is becoming increasinglyimportant to closely integrate with partner systems, cloud services and customer-facing applications.Choosing an IAM suite is a decision that it is important to get right. Organizations should therefore workwith one of their strategic vendors with the resources and stability to ensure continuing support. Theseconsiderations should take priority over the specific feature sets of the product. Nevertheless, Oracleprovides good functionality and open interfaces for identity federation across collaboratingorganizations and for integrating third-party applications into its sphere of influence.

Oracle

Oracle Identity and Access Management Suite – Release 11g

CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G 220077

TECHNOLOGY AUDIT

Strengths: � The Oracle suite is built on industry-standard protocols and interfaces.

� Oracle has a comprehensive suite of closely integrated products.

� Oracle is advanced in both providing identities to cloud SaaS services and using

identities from identity service providers.

Weaknesses: � Oracle relies on ecosystem partners for privileged user account control (apart

from its Authentication Services for Linux/Unix operating systems).

Key Facts: i Oracle provides or supports agents to bring the most common business

applications into its SSO domain.

The positioning of the identity management suite in the Oracle Fusion security middleware and itsintegration with Oracle’s GRC strategy places it at the center of the most relevant business concerns.

Recommendations

� Enterprises that want to rationalize their IT suppliers and achieve a well-integrated core infrastructureset and have made Oracle a strategic supplier, will find that the Oracle IAM suite provides acomprehensive and well-integrated solution for their identity and access management needs.

� Organizations that use the Sun/Waveset identity management products should migrate to the Oraclesuite to preserve their existing investments and processes.

� Although usually most applicable to medium-size and large organizations, Oracle provides a usefuland viable suite for organizations in the 500 to 1,000 employee range.

SOLUTION OVERVIEW

Oracle Identity Management is an integrated and open set of 14 components that can be licensed asstandalone products or as part of several suites. They cover areas such as identity administration,access management to web, web services and other applications and systems including SSO andfederation with collaborating organizations, directory services, web services, entitlements management,real-time fraud prevention, multi-factor authentication, information rights management, and identity andaccess governance (functional areas are outlined in the Figure 1 product architecture diagram).


XML

Enterprise

Authentication

Authorization

Virtualization

(OVD)

LDAP

(OID/ODSEE)

Federation

Trust

Platform Securityfor Java

OAM

OAAM

OIF

OES

OIM

OIA

ODSEE

OVD

OID

OAS4OS

OWSM

Access Identity Audit Risk

Orchestration

(BPEL PM)

Identity Admin

Provisioning

UserAdministration

Deploy &Install

DB File

Role Mgmt.

Policy Mgmt.

Common AuditFramework

UserInterface

Enterprise Apps

Shared Services

CoreInfrastructure

IdentityServices

(Standards Based)

Identity &Access

ManagementProductPortfolio

Technology(FMW & IdM)

Persistence(Standards Based)

ISVOracle LOB/

Fusion

Figure 1: Oracle Identity

Management component functions Source: Oracle

The components are built around an SOA using shared services, both within the suite and across thewider Oracle environment. For example, functions such as identity administration and passwordmanagement, workflow, authentication and authorization, cryptographic services and auditing areprovided as services in the suite, which is positioned as a pillar of Oracle’s Fusion middleware platformand is a core component of its GRC strategy.

The foundation of an IAM system is the information repository, which is usually implemented in an enterprisedirectory or meta-directory system. On top of this are a range of technologies that deliver common servicesand functions to the suite. The core IAM products deliver enterprise-level services such as access control,user identification, audit reports of user actions relating to user provisioning and user access actions, and riskmanagement relating to the inappropriate use of system and information resources.

The identity services can be placed in tiers relating to their position in the construction of the identityinfrastructure:

� Strategy formulation – policy management and trust.

� Management of permissions – identity administration, role management and provisioning.

� Operational control – authentication, authorization and federation.

SOLUTION ANALYSIS


Oracle Access Manager (OAM) provides several out-of-the-box authentication protocols, includingform-based authentication, Kerberos, Windows log-in, and support for second-factor authenticationsuch as RSA SecurID tokens, other forms of OTPs, digital certificates, and knowledge-basedparadigms. It also integrates with 12 third-party stronger authentication products from vendors inOracle’s extended independent software vendor (ISV) ecosystem, such as BioKey and Daon.

A useful feature of OAM is its ability to automatically step up to two-factor authentication in situationswhere an internal risk assessment indicates that additional assurance is required, as defined in theorganization’s policy. This helps to reduce the risk of fraud through impersonation.

A key capability of OAM is a full featured session management capability providing administrativecontrol over user sessions.

Oracle provides pluggable authentication modules for privileged users.


Oracle’s Enterprise Single Sign-On Suite (ESSO) allows users to access platforms and applicationsacross the enterprise using a single credential.

Oracle Web Services Manager (OWSM) defines and implements web services security inheterogeneous environments. It provides tools to manage web services based on service-levelagreements, and supports runtime monitoring in live environments.

In common with all IAM suites, SSO is only achieved when the target systems and applications havebeen integrated with the IAM infrastructure. Oracle supports third-party web agents that give access toa wide range of common business web servers and applications such as Oracle WebLogic and Apache.Oracle publishes its Access SDK to cater for bespoke and more specialist applications so thatapplication developers can create agents to link their applications to OAM.

Oracle’s Enterprise SSO product includes a kiosk manager, a password-reset function, anauthentication manager and a provisioning gateway.

User provisioning

Oracle Identity Manager (OIM) is the key user-provisioning and identity administration component thatprovides a central platform for managing identities over their lifecycle. Access permissions based onroles are assigned to identities. User and role administration is performed in a single administrativeconsole, and these functions share Oracle’s Business Process Execution Language workflow engine.This provides simplified self-service request management. The workflow can be shared across teamsand supports delegated administration.


Oracle’s offers role mining as part of a comprehensive identity and access governance product calledOracle Identity Analytics (OIA). OIA recommends role definitions, and user admin and role admin havebeen combined in the same console, with a single integrated workflow to check access permissionallocations. OIA audits and certifies accounts, roles and entitlements. Discrepancies can be flagged tothe resource administrator or to the individual’s manager. Options for handling exceptions includetemporary acceptance of the status quo. A feature called Cert 360 gives a complete view of the state ofcompliance around a user, a resource or an entitlement, so that permissions can be reviewed atappropriate times.

OIM can provision users into SaaS cloud services using bi-directional Service Provisioning MarkupLanguage (SPML) calls. Popular SaaS applications, including Oracle CRM on Demand,Salesforce.com and Microsoft Windows Live, are among the types of cloud applications in to which OIMcan integrate. Additionally, these cloud services can be incorporated into the scope of the SSO function.

Access control

Oracle applies access controls to applications and data. Oracle Access Management Suite is the keyproduct here.

Oracle Entitlements Server (OES) allows fine-grained access control to be grafted onto an existingapplication. Traditionally in the IT world, application access control has been hard-coded into anapplication and has been very basic in its scope, often to the point of being non-existent. OES allowsdetailed permissions to be defined and implemented both centrally and outside the application. It istherefore possible to achieve fine-grained controls without modifying applications.

FIM

Oracle Identity Federation (OIF) is a standalone product that supports identity federation. It is integratedwith OAM and similar products from other vendors. It communicates with these tools using standardprotocols such as SAML or Kerberos.

Oracle has two approaches for providing identity federation. The first is to deploy a lightweightcomponent called Fedlet in the domains that wish to federate to the enterprise identity managementsystem. The other method is to propagate identity across domains using capabilities defined in the WS-Trust standard and a variety of identity token types such as SAML assertions.

Oracle’s Identity and Access Management Suite also integrates with identity provider services from thirdparties including salesforce.com, Google Apps and Oracle on Demand, from which it can accept identityassertions.

LDAP administration

Directory services are delivered using Oracle Internet Directory (OID), Oracle Directory ServerEnterprise Edition (ODSEE), and Oracle Virtual Directory (OVD) services. OID is an LDAP directory thathas the scalability, availability, and security features of an Oracle database. ODSEE is an LDAP serverthat integrates into heterogeneous applications and provides the LDAP directory components thatunderpin the IAM system. It synchronizes and manages the information stored in multiple directoriesacross the enterprise. OVD provides a secure facility to connect applications to existing user identitystores, whether directories or databases, without modifying the infrastructure or applications.

To satisfy the audit requirements of several compliance standards, Oracle Database Vault can monitorand manage user access to databases, including the activities of privileged users. Third-party ISVssuch as Cyber-Ark can integrate products into the Oracle stack and can be certified with Oracle.

Oracle provides a reporting engine as a service in the Identity and Access Management Suite. Thisincorporates several standard reports as well as providing an interface by which users or serviceproviders can add customized report formats. The standard reports include identity/access reports, role-based analysis and compliance exceptions. Reports can be delivered to a separate database. Thesuite’s user interface is available in 28 languages.


Standards and authorities

Oracle supports the following industry standards relating to identity management: SAML; SPML; WS-Federation; ID-FF; LDAP; Directory Service Markup Language (DSML); Transport LayerSecurity/Secure Sockets Layer (TLS/SSL); Public-Key Cryptography Standards (PKCS) #11;PKCS#12; WS-Security and associated profiles; Request for Comments (RFC) 3961 KerberosEncryption; RFC 1510 Kerberos; RFC 1964 Kerberos Generic Security Service (GSS); XML Signature;XML Encryption; XML Canonicalization; XML Key Management Specification; RFC 2630 – CMS; RFC2515 – PKCS#7; RFC 2634 – Secure/Multipurpose Internet Mail Extensions (S/MIME); Extended LogFile Management; Java Authorization Contract for Containers (JACC); RBAC; Java Authentication andAuthorization Service (JAAS)/Java Platform Security; SOAP; SOAP with attachments; MessageTransmission Optimization Mechanism (MTOM); WS-Policy; WS-SecurityPolicy; WS-ReliableMessaging; WS-Addressing; WS-MetadataExchange; Advanced Encryption Standard (AES)256 encryption; Secure Hash Algorithm (SHA) 1 signature; Java Key Store; and XACML.

PRODUCT STRATEGY

Oracle released its first product in this area, OID, in 1999. It has steadily expanded its portfolio sincethen through organic development and through the acquisition of specialist vendors. Its recentacquisition of Sun Microsystems brought it one of the major competing identity management suites,significantly strengthening its position in the sector. Before this, two important acquisitions wereBridgestream in 2007, which provided role-management capabilities, and Bharosa, which deliveredadaptive access facilities. In 2005, Oracle acquired the following companies: Thor Technologies, for itsenterprise-wide user-provisioning capabilities; Oblix, with its range of functions, including SSO for third-party applications; and OctetString, with its virtual directory technology that enabled Oracle to work withthird-party directories. While these acquisitions were specialist vendors, the Sun Microsystemsacquisition resulted in substantial duplication of similar products.

One of Oracle’s tasks moving forward is to rationalize and merge the two product lines. Sun IdentityManager is now called Oracle Waveset. The convergence process will result in some strategiccomponents from Sun’s products being added to Oracle’s suite as Sun’s users are gradually eased overto the Oracle products. OIM will be enhanced to provide usability, and operational and other developer-friendly features that will make it more familiar to Oracle Waveset users. The integration will also driveinnovation in areas such as risk-based provisioning. Oracle plans to offer migration tools for all SunIdentity Manager products later in 2010. Sun users are now offered equivalent Oracle products free ofcharge. They will be allowed to run both products in parallel, so that they can migrate at their own pace.

Oracle regards the Open SSO Fedlet (now known as Oracle Open SSO Fedlet) and the Secure TokenService (Oracle Open STS) as strategic components that it has added to the Oracle Identity and AccessManagement Suite. It also plans to continue to invest in the Open SSO product.

Oracle has also used the Sun Role Manager (formerly from Vaau) as the foundation for OIA, while theSun Directory Server Enterprise Edition has been combined with OID and OVD to deliver a new productcalled Oracle Directory Services Plus.

With the recent 11gR1 release, Oracle has delivered on:

� Service-oriented security, developing standards-based security services for applications to use.

� Suite-wide integration and standardization.

� Continued alignment of products with evolving standards from industry bodies such as Kantara,OASIS and the Cloud Security Alliance.

� A unified security administration console.

� Suite integration from installation, configuration and policy models, with shared functionalcomponents and platform certifications.

� Integrated end-to-end functionality to allow customers to manage user sessions, authentication,federation, authorization, security token services, web services and risk analysis/fraud prevention.


Two types of migration tools from Sun Open SSO will be added to OAM. The first is a set of policy-migration utilities, and the second is an agent-compatibility framework that allows Open SSO agents tocommunicate and interoperate with the OAM policy server.

Oracle also plans to offer migration tools for Sun Identity Manager to OIM. The first part of this toolingis to uptake the Identity Connector Framework (part of SIM) as a strategic framework within OIM,thereby enabling enterprises to leverage a common framework for integration with target applicationsacross both provisioning engines. Secondary tooling for migrating data objects, core schema, audit dataand workflow will also be made available.

Oracle goes to market with a direct sales force, and through resellers and other channel and alliancepartners. It has its own sales team in most geographic regions. These include vertical market specialistsand security specialists with a horizontal focus across all industry sectors. It also has dedicated securityexperts in its teams dealing with public sector, healthcare, and higher education. Oracle’s major deliverypartners are PricewaterhouseCoopers, Deloitte, Accenture and Wipro, and it has regional partnershipswith SENA Systems, TrewPort, Beacon, Integral and others. Oracle Consulting Services can provideprofessional support to customers, and Oracle offers training programs through self-study, online study,and instructor-led classes.

Oracle’s identity management products are used by organizations of all sizes. However, most of thedeployments are at medium or large organizations. Oracle uses channel partners to deliver the productsto smaller customers.

Oracle offers both perpetual and term licenses for its products. Charges are calculated on a per-employee user, per-non-employee user or per-processor basis. Oracle publishes a price list on itswebsite.

IMPLEMENTATION

A deployment project for a major IAM suite requires significant resources over a period of months oreven years, and projects are usually rolled out incrementally. A project is intimately related to businessprocess changes, and can deliver substantial business benefits. It is therefore essential to receive buy-in from business managers and to include a business analyst in the deployment team. Experiencedconsultants are also a valuable resource. Oracle Consulting and several of its system-integratorpartners such as PricewaterhouseCoopers, Deloitte, HP-EDS, Accenture, Wipro and SENA Systemscan provide professional support.

An incremental approach can be segmented according to business groups, applications and platforms,and facilities, or to the products in the IAM suite. Oracle has traditionally mainly sold individual IAMproducts, but market demand is now shifting toward complete suites. This is partly due to organizationsrationalizing their IT suppliers and favoring comprehensive suites of products over best-of-breed pointsolutions, and partly due to a growing realization that the business benefits of a comprehensiveapproach are greater than the sum of the benefits of the parts, particularly with respect to deliveringregulatory compliance.

The majority of Oracle’s identity management customers deploy the products on-premise, but Oracle isproviding technology for managed identity services offered by HP-EDS, Wipro, Oracle on Demand andBT. Users can deploy Oracle IAM products on-premise or use one of these service providers for amanaged on-premise, dedicated hosted, or SaaS solution.

The suite runs on Microsoft Windows, Linux, Solaris, AIX, HP/UX, z/OS and Mac OS platforms. It alsorequires a database on which it can be deployed, and this is not included in the license. However, mostcustomers have an existing database license that they can use for this purpose.


DEPLOYMENT EXAMPLES

Pharmaceutical company

The pharmaceutical industry operates in a challenging environment where it has to balance the needsof information security and information sharing. It is subject to many regulations, including the HealthInsurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Code of FederalRegulations (CFR) Part 11. At the same time, effective and speedy collaboration, both across thecompany and with external partners, is essential for commercial success. This company’s strategy is totreat authentication as an infrastructure service that each application can use, using OAM and OVD tobuild a unified and centralized portal for both internal and external access. This portal offers users achoice of credential for authentication and ensures that the level of authentication is appropriate to thelevel of risk associated with the application. Some of its applications are web-based. It was also able tooffer its employees web-based access to corporate applications through its portal. The SSO capabilityhas significantly enhanced user productivity and security, by eliminating a plethora of user IDs andpasswords. Oracle’s Virtual Directory provides LDAP and XML views of enterprise information withoutmoving it from its native locations. It also acts as an intermediary between clients and services thatenhances the security of application connections. It now has 300 applications using its commonauthentication services.

Government ministry of defense

This organization oversees all of the country’s military and civilian defense personnel. It needed toconsolidate all of its classified data in a secure and scalable electronic platform. It uses Oracle IdentityManagement to provide 100 senior users with secure and seamless access to the information that theyare entitled to access. Their access rights depend on their job function and their security clearancelevel. It is important that the identity management product is interoperable with third-party products andopen standards. OVD is used to integrate user identity information from the ministry and armed forces’ADs. OAM controls and tracks access to confidential documents based on user roles.

Government agricultural authority

This organization administers the distribution of state funds within the agricultural sector, and monitorsthe use of these funds. Its services are used by 50,000 users from diverse groups such as farmers,agricultural businesses, other industrial players and local officials. It has to ensure stable access toservices by all of these groups, provide a seamless integration between its own electronic services andthe government portal that gives access to services such as business and population registers, anddevelop services for data capture, processing and monitoring. It deployed OIF and OAM to provideconvenient and efficient access to the required services. It has outsourced the maintenance andoperation of the systems.

Oracle Corp Oracle UK

500 Oracle Parkway Oracle ParkwayRedwood Shores Thames Valley ParkCA 94065 Reading, RG6 1RAUSA UK

Tel: +1 (650) 506 7000 Tel: +44 (0)118 9240000Fax: +1 (408) 720 3725 Fax: +44 (0)118 9243000


www.oracle.com www.oracle.com



WWW.OVUM.COM

RSA (THE SECURITY DIVISION OF EMC):

RSA Identity & AccessManagement


OVUM

CATALYST

Across all sectors of business there is a need to accurately control who has access to operationalsystems. It is a vital element of any security management strategy. Good quality identity and accessmanagement (IAM) is necessary to reduce business risk, minimize exposure to fraud, identifyinappropriate systems use and support the unimpaired use of business systems. The effective use ofIAM breeds trust and confidence in an organization’s business processes. It allows trusted users tointeract with systems and access information securely and selectively. It can also help to controloperational costs through increases in operational efficiency. These are all issues that RSA addresseswith its extensive range of IAM-based identity assurance products.

� RSA provides enterprise-class identity assurance products that address the risk and compliance issuesarising in highly regulated sectors such as finance, healthcare, telecoms and government.

� The company’s broad range of authentication services addresses all levels of secure access, based onrisk. Its range of authentication methods covers appliance, hosted (SaaS), and on-premise operations.

� RSA delivers an enterprise suite of identity assurance products that can also address the IAMrequirements of SME clients.

KEY FINDINGS

OVUM VIEW

RSA provides an extensive range of IAM-based identity assurance products and services, whichcollectively, as well as individually, can be deployed to protect the operational systems and intellectualproperty of public and private sector organizations and their users. The company’s identity assuranceproducts have been designed to minimize the risks associated with inappropriate and unauthorizedsystems and account usage, and its services have been extended to address fraudulent activity,accidental data leakage, and information and event monitoring.

The main components of the RSA IAM solution have the capability to deal with business-specific identityassurance issues. This is achieved by combining the essential elements of credential management,authentication and contextual authorization with an integrated Intelligence layer that actively addressesaccess control, activity monitoring, information sharing and a growing range of management alertingand reporting requirements.

RSA (The Security Division of EMC)

RSA Identity & Access Management

CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT 221177

TECHNOLOGY AUDIT

Strengths: � Provides best-of-breed identity assurance and access control products.

� Strong multi-factor authentication includes the use of hardware and softwaretokens.

� Federation facilities allow organizations to securely share and exchange useridentities.

Weaknesses: � Does not provide homegrown user provisioning facilities.

Key Facts: i Integrates with the main directories from Microsoft, Oracle and Novell.

i Partners with Courion to provide best-of-breed user provisioning facilities.

RSA recognizes that the user and information protection needs of many organizations may start withthe basic requirement to identify and control the access rights of systems users. However, it is alsoacutely aware that IAM is just part of a security management strategy that organizations will need tohave in place to fulfill their compliance and intellectual property protection requirements.

Building out from the core components of identity management, content-aware IAM needs to have theability to work alongside and integrate its services with other core protection and security managementtechnology, including DLP, encryption and key management, and SIEM products.

Its competitors would probably argue that RSA already owns these additional security managementproducts, which overinflates its judgment of their worth. However, the counterargument is easier to make.Most enterprise organizations need to control access to their core information systems, protect the datathat those systems hold and, at the same time, prove to audit and compliance levels that these objectiveshave been achieved. RSA has consistently held a market-leading position in the core identity managementareas of strong authentication, user authorization and access control. Ovum recognizes that its content-aware approach now extends its relevance into information protection and security management.

Recommendations

� RSA technology is suitable for any organization that needs to authenticate users, and verify and monitorintellectual property use across its operations, and where appropriate, to the extended enterprise.

� Vertical markets including financial services, government, healthcare and telecoms represent just someof RSA’s areas of success.

� The technology supports the security management initiatives of organizations, from very largeinternational groups through to smaller enterprise operations. Its adaptive authentication and transactionmonitoring services are used by large enterprises operating in markets such as financial services tosecure online transactions. At the same time, its range of SecurID products is also of value to businessesof all sizes.

� Organizations select RSA identity assurance products to support their regulatory compliance initiatives,to help prevent fraudulent activity, and to increase customer confidence when using online services.

SOLUTION OVERVIEW

RSA provides an integrated set of products that simplify and improve the administration andmanagement of user identities and access control. Its IAM product suite encompasses the keycomponents of identity management, including multi-factor and contextual authentication. It supportsthe delivery of enterprise-strength access control and extends its services to the provision of federatedidentity services, DLP, fraud detection and SIEM.

Its product set comprises integrated technology that extends user authentication from its foundation asa source of basic identity management to one where continuous control and monitoring of identity,authentication, access and usage is a fundamental business service.

Within the RSA approach to operational security management, identity assurance is the key to itsservice delivery methodology. It brings together an integrated platform of facilities and services that canbe used to help organizations minimize the business risks associated with identity impersonation andinappropriate account usage. The approach allows trusted identities to freely and securely interact withand across systems and networks, and provides controlled access to protected information. The keybusiness and technology deliverables are:

� Credential management – this provides a full lifecycle management and policy administrationenvironment for credentials that are used in the identity verification and assurance processes.

� Authentication – this assures identities to a system, resource or transaction, and is based on therisk involved. Delivery can involve a choice of appliance, hosted (SaaS) or on-premise software. Themethods offered can vary from form factors that include both hardware and software tokens.

� Contextual authorization – this enforces access based on a specific risk and business contextaccording to the policy requirements of each organization.


Collectively, this intelligence-based technology approach is used to protect the integrity of identity-based controls through the monitoring of credentials and activities that allow authorized parties toaccess information systems for specific designated purposes.

The key IAM products that RSA uses to deliver these services are:

� RSA Access Manager.

� RSA Identity Protection and Verification.

� RSA Federated Identity Manager.

� RSA SecurID.

� RSA Adaptive Authentication.

Provisioning and role management services are provided through the company’s close partnerrelationship with Courion. RSA has chosen to maintain this partnership approach to the delivery of coreIAM services, as it believes that provisioning is a component of IAM that is best dealt with by aspecialist.


385792

ID Policy & Credentials LifecycleUser Authentication

& Choice of Credentials

Access Control &Set-up Authentication

ID & Activity Monitoring,Information Sharing

& Alerting

Credential

Management

Authentication

Contextual Authorization

Intelligence

Define IDPolicy

Verify Identity

KBA & SharedSecrets

DeviceIdentification

One-timePasswords

Access ManagementFederation

My Company

Partner Co.

Partner Co.

Partner Co.

LifecycleManagement

Figure 1: The business and technology

deliverables of the RSA approach to IAM Source: RSA

SOLUTION ANALYSIS

Authentication

RSA provides a wide range of business and user authentication services. Its SecurID product setdelivers strong two-factor authentication facilities that are provided using both hardware and softwaretokens. Its digital certificate services can be used to maintain a secure environment for authenticated,private and legally binding electronic communications. The company’s e-commerce products provide asecure framework for building cardholder protection and fraud management using a wide range ofauthentication and card security services. Its Identity Protection and Verification product set addsknowledge-based authentication to provide real-time confirmation of customer identities.

The universal requirement is to verify all authentication requests and, through RSA AuthenticationManager, maintain, control and deliver a centrally administered set of policy- and rule-based networkauthentication services. RSA provides high-performance and scalability across the product set, andinteroperates with a wide-ranging set of network, remote access, VPN, Internet, wireless andapplication solutions.

Adaptive authentication

RSA Adaptive Authentication extends the role of the company’s business and user authenticationportfolio to the web environment. Its Adaptive Authentication products are based on a risk-basedauthentication platform that has been developed to provide strong protection for web and voicecommunication channels.

Alongside the growing need to provide employees, customers, business partners, suppliers, contractorsand a whole host of other regular and ad hoc users with online access, organizations need to ensurethat this is done in a secure and cost-effective manner. Therefore, the product’s functional role is todeliver an effective balance between secure authentication, a good quality user experience and cost-efficient controls.

Adaptive Authentication monitors user activity and its controls are driven by each organization’sspecified acceptable risk levels, policy and user segmentation requirements. It supports a wide rangeof authentication approaches including invisible authentication (device identification and profiling); site-to-user authentication (website assurance using pre-selected personal security images); out-of-bandauthentication (phone, SMS or email with security challenges); and OTPs (supported by hardware andsoftware tokens).

Access control

There are four key areas of operational responsibility that fall within RSA Access Manager’s remit:

� Managing risk – by ensuring secure access to web applications within intranets, extranets, portalsand all user and customer-facing applications. Access Manager provides a core security-management infrastructure that protects the assets of a business by making it difficult forunauthorized users to access corporate systems. It also provides audit-level reporting facilities thatcan be used to identify and control unacceptable insider usage and systems abuses.

� Ensuring compliance – user-access controls, policy-management facilities and enforcementservices are used to support each organization’s specific compliance requirements. The product’senforcement and reporting services help IT and C-level business managers to measure theorganization’s compliance levels with current internal and external security policies. The product alsoprovides automated reporting that identifies all end-user system and application activity.

� Cost reduction – is achieved by making efficient use of the product’s centralized facilities for themanagement of user identities and privileges. These services are supported across multipleapplications, domains and geographies. The central management approach reduces the overheadsof managing fragmented identity systems. It also makes use of SSO facilities, which, through single-source user efficiencies and well-documented self-service help-desk savings, bring further potentialcost-reductions.

� Improved end-user experience – is provided through the product’s SSO capabilities. SSO allowsmultiple applications to be protected by a single access instance. This equates to one securepassword having the ability to safeguard access to multiple applications, which, in the rightenvironment, removes the need for users to maintain multiple credentials.

FIM

RSA Federated Identity Manager provides facilities that allow organizations to securely share andexchange user identities with internal business units, customers and, on a business-to-business (B2B)level, with third-party business partners. The product is standards-based and has been developed towork with mainstream industry and web services standards, including XML, SOAP and SAML 2.0.


In today’s interactive business environments, the requirement for closer partner interaction involvingshared information assets makes closer collaboration necessary to maintain a competitive edge. To do thissafely, there is a need to maintain and manage trusted user identities for a company’s own employees andauthorized third parties. RSA Federated Identity Manager maintains strong levels of control by ensuringthe security of authorized users and their transactions. Within the RSA solution, a federated identity is asingle controlled entity that each user is able to use across internal and external areas of the business andpartner websites, with all of these elements being bound by the ties of federation.

Extended security management facilities

RSA has considered the wider business requirements for security management and the range ofprotection services that have direct associations with controlling user access and the informationresources that become available once authorized access has been granted. The company’s identityassurance approach includes the availability of information monitoring and data protection services, andincludes its SIEM, DLP and data encryption products.

RSA DLP provides a best-practice approach to data protection. It includes facilities that enable IT andbusiness managers to understand the data that are most sensitive to their operational activities, whereit resides, who should be allowed access, and the controls, policies and data encryption rules that arenecessary to provide the required levels of protection and fulfill audit and compliance demands.

RSA SIEM provides activity logs that address the need-to-know elements of identity management,access control, and data protection. Organizations need to be able to prove how effective their usercontrols and information access strategies are. Regulatory compliance often requires this information,and auditors may well demand it. Through its enVision platform, RSA provides a scalable and relevantcollection of data analysis, alerting, reporting and data storage services.

PRODUCT STRATEGY

RSA has an open-market approach to the marketing of its identity assurance products. Its identity-driven solutions are relevant to any organization that needs to verify and securely authenticate userswhile protecting and controlling access to its intellectual property.

Over 30,000 customers use the company’s range of security products, around 25,000 of which areusers of some or all of the components of its IAM suite. RSA IAM customers include Accor, Alliance &Leicester, AMD, Credit Suisse, Flybe, Hershey Foods, Kronos and Staffordshire Police.

MARKET OPPORTUNITY

RSA IAM systems are implemented across a wide range of industry sectors including financial, legal,automotive, consumer and retail, e-commerce, education, energy, government, healthcare,manufacturing, real estate, technology and transportation. In addition to its vertical coverage, thecompany addresses horizontal markets with cross-industry solutions such as regulatory compliance,consumer identity protection, portal and partner integration, mobile workforce security and digital rightsmanagement. The company’s customers come from every part of the business landscape, and at theupper end of the scale, the vast majority of the Fortune 100 uses its services.

RSA’s identity assurance products deliver a prompt ROI, providing a quick-win approach to most IAMprojects. Its most significant market opportunities are provided by the following business and market drivers:

� Supporting compliance initiatives through the use of its systems and technologies, so that businessesare able to fulfill their various regulatory compliance commitments.

� Securely enabling workforce mobility and enhancing productivity by supporting the needs of mobile andremote workers (employees, contractors and virtual teams) and their flexible working requirements.

� Preventing fraud and accidental data loss by controlling channel access to information systems andmanaging the information available to authorized users. This includes securing access to sensitiveinformation across enterprise systems and networks. Its web portal approach has been designed toimprove operational efficiency and enable controlled information sharing and self-service capabilities.



RSA operates using a wide range of sales channels, which it targets to support specific customerneeds. These include direct sales, the use of distribution partners, systems integrators, managedservice providers and value-added resellers. Key business partners include EDS, Deloitte, CSC, AT&T,Wipro and Tata (TCS). Its listed technology partners include BEA Systems, Cisco, Citrix Systems,Juniper Networks, Microsoft and McAfee. In total, RSA has more than 1,000 certified technologypartnerships.

While RSA believes that it has no single competitor because of the range and breadth of its ownsolutions, it mainly competes on end-to-end IAM projects with the large multi-platform vendors such asIBM, Oracle, Novell and CA, and its information protection products compete directly with Symantec,McAfee, Websense and CA.

The majority of RSA products are priced on a per-user or per-transaction basis. RSA offers perpetualand subscription licensing models, and, in addition, annual maintenance contracts are available.

IMPLEMENTATION

Each product within the RSA identity assurance portfolio can be deployed in its own right, or as a fullyintegrated component of the overall RSA IAM offering, and each product integrates with the maindirectories from Microsoft, Oracle and Novell.

The company’s time-to-implementation averages are typically set at between two and eight weeks.However, RSA project timescales can range from minutes for a simple deployment of the RSA SecurIDAppliance, through to much longer timescales for the use of multiple product combinations acrosscomplex deployment environments, where projects of over six months are not uncommon.

While RSA can provide the skills required to implement its technology solutions, it also works with anumber of global and regional systems integrators. The technical skills needed to undertake a fulldeployment of RSA IAM technology include core domain expertise in the areas of networking, operatingsystems administration, directory infrastructures, web architecture, and key development languagesand protocols such as .NET, C, C++, C#, Java, hypertext markup language (HTML), HTTP, SAMLXACML, XML and web services.

RSA uses a standard plan, design and implementation approach to its deployment methodology, andeach of the respective stages can be broken down into discrete, modular components. Quitereasonably (given the potential for complexity in IAM projects), RSA recommends that its solutions aredeployed in definable phases; for example, by technology, or within integrated business units.

Ongoing administration for on-premise solutions is seen as an end-user responsibility, and toemphasize this position, RSA is able to provide several supporting facilities and components using anSaaS approach. RSA educational services provide user training facilities in the form of a broad set ofcourses, which range from instructor-led engagements to online self-service options. The company hastraining centers at its regional headquarters in the US, Europe and Singapore, and also has a networkof authorized training partners, each with RSA-security-certified instructors.

Ongoing technical support is provided by RSA, using a three-tier customer support approach:

� Basic support – a value-based option that is intended to meet the needs of non-mission-criticalenvironments on a business hours basis.

� Enhanced support – a comprehensive 24/7 support option that provides round-the-clock remotesupport and access to RSA’s global network of support centers.

� Personalized support – a personalized support approach that can be tailored to complement RSAservice contracts with open access to technical experts on a 24/7 basis.


DEPLOYMENT EXAMPLES

Advanced Micro Devices

Advanced Micro Devices (AMD) is a California-based company that designs and producesmicroprocessors, graphics and media solutions. AMD needed to securely authenticate its network ofexternal users at a higher level than username and password would allow, while retaining userconvenience. It wanted to deploy strong authentication that would eliminate the logistical overheads ofhardware tokens, but still offer high-security standards. AMD selected RSA and has rolled out itsintegrated Access Manager and Adaptive Authentication solution for SSO to web applications, withauthentication requirements being based on risk analysis. RSA site-to-user authentication provides apersonal security image and caption that gives users the confidence that they are entering a legitimateAMD website. Benefits that have been achieved include a 33% reduction in the time taken to arrangesecure web access for new clients, improved convenience and productivity, and reduced compliance-audit overheads.

UK local authority

Secure communication with central government was vital to this local authority’s operations. Forexample, it needed to regularly send information on benefit claimants to the Department of Work andPensions and ensure that the correct levels of funding were received back. To have access toGovernment Connect, all local authorities are required to achieve Code of Connection (CoCo)compliance. This requires two-factor authentication as a basic standard for remote access. Theauthority deployed RSA SecurID to deliver two-factor authentication based on something each userknows (a password or PIN) and something the user has (a hardware token). The benefits achievedincluded CoCo authentication compliance, quick adoption and take-up by end users of RSA SecurID,and associated long-term cost savings.

RSA, the security division of EMC RSA UK Ltd.

EMC corporate office RSA House, Western Road176 South St. Bracknell, BerkshireHopkinton, MA 01748 RG12 1RTUSA UK

Tel: +44 (0)1344 781000Fax: +44 (0)1344 781001

Email: [email protected]

RSA Corporate Headquarters

174 Middlesex TurnpikeBedford, MA 01730USA

Tel: +1 (781) 515 5000Fax: +1 (781) 515 5010

www.rsa.com



WWW.OVUM.COM

CHAPTER 8:

Vendor profiles


OVUM

ActivIdentity

Company profile

ActivIdentity Corporation (ActivIdentity) is a provider of identity assurance and credential managementsolutions for the enterprise, government, healthcare, and financial services markets. ActivIdentity wasformed in 2005, when ActivCard took a new name following its acquisition of Protocom earlier that year.Both organizations were established vendors in the IAM market, with highly complementary portfolios:ActivCard’s main focus within the market was authentication, secure remote access, and smartcardmanagement systems; Protocom’s was Enterprise Single Sign-On (ESSO).

ActivIdentity is headquartered in Fremont, California, and has development centers in the UnitedStates, Australia, and France, with sales and service centers in more than ten countries. Overall,ActivIdentity has over 4,000 customers, with more than 15 million users of its solutions. Over 60 largefinancial institutions are direct users of solutions based on 4TRESS Authentication Server (4TRESSAS). ActivIdentity recently acquired CoreStreet Ltd., and this acquisition brings in CoreStreet’s PublicKey Infrastructure (PKI) certification technology, distributed identity credential validation system, andphysical access control products into ActivIdentity’s already strong authentication and credentialmanagement portfolio.

Product description

ActivIdentity consists of four product lines that form the foundation of a multi-layered security approach,and these product lines include:

Strong Authentication: This suite of products ensures that all end-user access controls including remoteaccess, browser-based, and network-based are all controlled securely. The product suite includes twoauthentication platforms:

� 4TRESS Authentication Server (4TRESS AS) is an enterprise-strength, standards-based server thatallows organizations to manage authentication, transaction authorization, credential management,and associated audit logging. 4TRESS AS enables authentication services to be shared betweenapplications, so that organizations can use second-factor authentication in as flexible and efficient away as SSO has enabled password-based access to avoid multiple requests to users for differentcredentials, apart from checking access rights using credentials that the user has already presented.Additionally, it provides administration and management facilities to aid organizations in supportingusers’ needs for multi-factor credentials, as well as managing authorization policies, and providingtamper-evident audit log services for all functions undertaken within the solution. 4TRESS AS isconfigurable to support multiple concurrent authentication policies, for passwords, One TimePassword (OTP) devices such as tokens, memorable data, and other schemes. It allowsorganizations to consolidate access mechanisms to a single mechanism for strong userauthentication (e.g. OTP tokens), and for this credential to be recognized regardless of whichproduct line, or service channel, the user wishes to access. 4TRESS AS also supports segregatedadministration. Transaction authorization is another major feature set within 4TRESS AS, as is thebuilt-in Remote Authentication Dial-In User Service (RADIUS) authentication support.

� 4TRESS AAA Server for Remote Access – basically supports remote access needs of organizationsby ensuring that all user access is secured based on text-based One-Time Passwords (OTP).

Credential Management: ActivIdentity through its ActivID product suite enables organizations to replacetraditional user names and passwords with digital certificates by being able to deploy and managesmart cards and USB tokens containing a variety of credentials. The product suite consists of theActivIdentity ActivID Card Management System which issues and manages digital credentials ondevices, as well as two add-on modules: ActivIdentity ActivID Batch Management System andActivIdentity ActivID Identity Registration System – which extends the basic ActivIdentity ActivID CardManagement System capabilities to personalize and encode smart cards as well as comply with themore advanced PIV standards.

CHAPTER 8: VENDOR PROFILES 222277

Security Clients: This product line enhances the aforementioned ActivIdentity product lines by enabling thesmart cards and USB token usage across a variety of desktop, network, and applications; along withproviding users with SSO capabilities. The various products in this product line include ActivIdentityActivClient – which secures workstations with smart cards and smart USB tokens, ActivIdentity ActivClientfor Common Access Card – in specific for U.S. Department of Defense, ActivIdentity SecureLogin – forSSO capabilities, and ActivIdentity Authentication Client – to handle additional authentication needs.

Authentication Devices: This product line allows organizations to deploy a variety of additionalauthentication mechanisms in order to satisfy their individual access management needs. The range ofoptions include: ActivIdentity Authentication Devices range from Smart Cards, Smart Card Readers,Smart USB Tokens, OTP Tokens, DisplayCard Tokens, and Soft Tokens to Hardware Security Modules.

ActivIdentity, Inc. ActivIdentity (UK) Ltd.6623 Dumbarton Circle Waterloo Business CentreFremont 117 Waterloo RoadCA 94555 London , SE1 8ULUSA UK

Tel: +1 (800) 529 9499 (Toll-Free) Tel: +44 (0)20 79600220Tel: +1 (510) 574 0100 (Main) Fax: +44 (0)20 79021985Fax: +1 (510) 574 0101

www.actividentity.com

Aladdin (SafeNet)

Company profile

Aladdin moved into the IT security business after starting out in the DRM space manufacturing HASPcopy-protection dongles. In 1998 it acquired eSafe and its content-security product, in addition todeveloping its first USB smartcard authentication eToken offering. The company’s most recent productaddition is the 2008 acquisition of the SafeWord product set from Secure Computing, before the latterwas taken over by McAfee. Aladdin operates in the Americas, Europe, Middle East, Africa and AsiaPacific. It is headquartered in Belcamp, Maryland and employs around 1,600 people.

In March 2009 Aladdin was acquired by SafeNet’s private equity owner Vector Capital. SafeNet andAladdin have operated under common management since that time. On March 31, 2010, SafeNetacquired the Vector Capital interest in Aladdin, thereby completing the legal combination of the twosecurity companies. Hence the contact details provided for Aladdin are those of Safenet. SafeNet is asecurity company that provides information security solutions such as data protection, softwarelicensing and management and industry solutions, professional services around rights management,SafeNet HSM implementation and web threat analyzer (WTA) audit services.

Product description

SafeWord is focused on providing strong authentication, primarily OTP tokens, that integrate withdirectories and VPN access platforms. Its ID&AM platform also includes SSO functionality. The solutiondeals with the three core elements of authentication, management, and user access.

The SafeWord product set can provide a variety of authentication options that can be linked to thespecific nature and needs of an organization’s user-base. It offers strong two-factor authenticationcapabilities that provide users with controlled access to corporate information. Authentication isprovided through One Time Passwords (OTPs) that are generated either using tokens with a hardwareform factor, or through the use of software and mobile authenticators. In addition, ESP Web AccessGateway can be used to provide protection for Web applications, portals, and Outlook Web Access, byincorporating two-factor authentication and SSO.

Access management facilities are provided for internal and external users using secure accesschannels and SSO. VPN support is available for products from vendors such as Cisco, Checkpoint,Nortel, Citrix, and Juniper. Management facilities are also available for the enforcement of corporateaccess policies either through the management console or through its integration capabilities withLDAP, AD, and RADIUS sources.


Organizations that want to provide controlled access to many applications, or use alternative two-factorauthentication mechanisms such as mobile devices, or make the deployment exercise simpler byproviding a platform for user self-service and token enrolment, can use SafeWord’s Enterprise SolutionPack (ESP). ESP comes with its own Management Console for the enterprise-wide management ofusers, tokens and access rights, as well as event logging and reporting.

Another key piece of functionality within the ESP product set is MobilePass – which is a software-basedtwo factor authentication solution that generates secure OTPs on mobile devices, laptops or desktops.MobilePass can be deployed on a number of platforms including BlackBerry, Palm, Windows Mobile,Java ME-enabled devices, SMS Text Messaging, and Windows Desktop. These OTPs can begenerated via a MobilePass application installed on the aforementioned devices to provide secureaccess to VPNs, Citrix applications, and Outlook Web Access.

Headquarters (Aladdin and SafeNet) SafeNet UK

4690 Millennium Drive Rivercourt, 3 Meadows Business ParkBelcamp Station Approach, BlackwaterMaryland 21017 Camberley, Surrey, GU17 9ABUSA UK

Tel: +1 (410) 931 7500 Tel: +44 (0)1276 608000Fax: +1 (410) 931 7524 Fax: +44 (0)1276 608080

www.safenet-inc.com

Avatier

Company profile

Avatier Corporation is a privately owned organization set up in 1995 and based in San Ramon, CA, withoffices in Dallas, Boston, Chicago, and Denver in the US, and smaller offices in India, the UK, andJapan. The company has 74 employees in total and has a customer base of over 500. Clients includethe NASA Shuttle operations/United Space Alliance, Harris Corporation, Astra Zeneca, RockwellCollins, NTL Group, and MidFirst Bank.

Product description

The Avatier Identity Management Suite consists of the following modules plus SSO functionality,addressing various aspects of identity management:

� Password Station: This module provides self-service password reset, password management, andsynchronization (GINA interface and Phone interface) capabilities. Employees are allowed to resettheir own passwords and synchronize one password across multiple platforms. This can be donethrough the Web browser or through the Password Station Phone Reset Suite module.

� Identity Analyzer: This module provides a holistic view of all user accounts as well as the currentstatus of these accounts across the entire enterprise systems. It separates accounts that arecurrently active from those that have been disabled or deleted.

� Password Bouncer: Password Bouncer can be used for granular enforcement of password policyand password synchronization; employees are not allowed to select passwords that can be easilyguessed or broken by hackers.

� Account Creator: Account Creator is the company’s user-provisioning and role-definition tool. Usingthis, administrators can create accounts for new employees, enforce naming conventions, andautomate home directory management, e-mail set-up, etc.

� Account Terminator: This is the module for user de-provisioning. This module is focused oncompliance, especially SOX, Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley (although these are US laws the functionality is also useful for non-US organizations).Administrators can search for orphan accounts, and disable, enable, and delete an employee’s useraccounts across multiple platforms.


� Avatier Identity Enforcer: Avatier Identity Enforcer provides self-service role matrix and rights-management capabilities with SOX support. It includes multi-lingual workflow and custom formscapability.

� Compliance Auditor: The module helps identify and address compliance gaps.

The module enables role, entitlement, and asset owners to review and approve the access and assetsassigned to users regularly, as well as issuing alerts through emails and other reporting methods.

Avatier Corporation Avatier Corporation

2603 Camino Ramon The Pavilions, Kiln LaneSuite 110 EpsomSan Ramon SurreyCA 94583 KT17 1JFUSA UK

Tel: +1 (925) 217 5170Fax: +1 (925) 275 0853

E-mail: [email protected]

www.avatier.com

Aveksa

Company profile

Aveksa specializes in the supply of access governance and management solutions. The company wasfounded in 2004 by a group of industry experts with previous experience in organizations such asNetegrity, Banyan Systems, and PowerSoft. Aveska focuses on specific areas of the Identity andAccess Management (IAM) business landscape, such as provisioning and role management – areas inwhich organizations have traditionally struggled to align technology-driven services with businessrequirements. The company has its corporate headquarters in Waltham, Massachusetts, and regionaloffices throughout North America. It also has operational headquarters in London, covering the Europe,Middle East and Africa (EMEA) region, and its engineering division operates out of Bangalore, India andWaltham, Massachusetts. The company is privately owned, and backed by leading venture capitalfirms, including Charles River Ventures, FirstMark Capital, and FTV Capital.

Product description

The Aveksa Access Governance Platform, comprising the Aveksa Compliance Manager, Aveksa RoleManager, and Aveksa Access Request and Change Manager, is an access control automation andmanagement solution that focuses on delivering a business and process-centric approach to controllingand managing access to corporate information resources. The three modules together constitute anintegrated product; each module however has the capacity to deliver its services independently or aspart of an integrated platform solution –

� Aveksa Access Request and Change Manager: provides a business interface to a streamlined set ofrequest and fulfillment processes that incorporate the use of embedded policy controls. It ensures thatwhen user access requests are made, the access granted is appropriate to the user’s functional role inthe business and in alignment with internal policies and rules, and industry regulatory requirements.

� Aveksa Compliance Manager: automates the monitoring, certification, reporting, and remediation of userentitlements, automating access control services. Aveska also supports use of the inclusive monitoring,certification, reporting, and remediation services, as well as providing an auditable record.

� Aveksa Role Manager: provides role discovery, role modeling, and role maintenance facilities. Theproduct enables organizations to build and deploy automated processes for governing and managinguser access requests. It is responsible for role management, which includes the maintenance of servicedelivery controls and review processes to ensure that the role management configuration remains fit forits purpose; this includes role maintenance updates, the revocation of redundant roles, and validationmanagement to reduce complexity and increase operational efficiency.


The Aveksa product set is supported by secure, non-invasive, automated collection technology thatenables it to acquire user access data (identities, roles, entitlements, groups and access control lists)from all available information resources including data, systems, hosts, applications, files, file shares,and directories. Aveksa aggregates and correlates user access data from multiple resources to providea unified view that can be analyzed down to individual usage levels and accumulated to provide apicture of the entire enterprise.

Aveksa Corporate Headquarters Aveksa EMEA Headquarters

265 Winter Street 211 PiccadillyWaltham, MA 02451 London, W1J 9HFUSA UK

Tel: +1 (877) 487 7797 (US calls) Tel: +44 (0)20 79179466Tel: +1 (781) 487 7700 (calls outside the US)Fax: +1 (781) 487 7707

www.aveksa.com

Beta Systems

Company profile

Headquartered in Berlin, Germany with offices in 18 countries, Beta Systems is an integrated, end-to-endsolutions provider for Document Processing, Compliance, Data Processing, and Security. With a customerbase of 1,300 customers and 3,000 running installations, the company has built a reputation as one ofEurope’s leading mid-sized, independent software providers. Beta Systems was founded in 1983 and hasbeen a listed company since 1997. The company has 600 employees, including its centers of excellence inAugsburg and Cologne in Germany, and Calgary in Canada.

Product description

Beta Systems provides products for a wide range of areas of Identity and Access Management. These include:

� SAM Jupiter: SAM Jupiter is the company’s user provisioning tool that offers policy-based, userprovisioning and de-provisioning capabilities and automates these tasks, thereby reducing theoperational risk and increasing the level of IT security. The company claims that the SAM JupiterProvisioning Server is capable of automating up to 80% of the routine administration tasks that go intouser provisioning. It also offers policy enforcement capabilities along with reporting, auditing, anddelegated administration. The SAM Jupiter agent/agentless connectors enable integration withapplications like MS Exchange, Lotus Domino, and Novell Groupwise, as well as operating systemsfrom Microsoft, IBM, HP, Sun, Linux, and Novell. Connectors are also available for LDAP, Oracle andDB2 databases, and Tivoli Access Manager.

� SAM Password Synchronization (SAM PS) tool: Authentication is provided through the company’s SAMPassword Synchronization (SAM PS) tool. It provides single-password access to heterogeneousplatforms and applications. Supported platforms include: Windows NT/2000, IBM z/OS, Novell NetWare(Bindery, NDS), UNIX (Sun Solaris, HP-UX, IBM AIX), LDAP, and SQL Server. A Web-based self-servicetool, the SAM Password Reset (SAM PR), can be used to reset users’ passwords.

� SAM eSSO: SAM eSSO provides enterprise SSO capabilities. It can be integrated with a number ofWindows, Web and legacy applications through agents/XML parameter files to add SSO capabilities tothem. It is built on High Availability (HA) architecture and provides failover capabilities while supportinghundreds of thousands of users.

� SAM Rolemine: The integrated SAM Rolemine (created after acquiring ownership of the Rolemineproduct from Swiss partner IPG AG) simplifies the process of role identification and definition by applyingpattern-based analytics to existing organization data and security information from the SAM JupiterRepository, and optionally from other repositories. It validates the existing role model and ensurescompliance with organizational policies during an ongoing model review process. It can adapt tobusiness changes by redefining roles and privileges. It works in conjunction with SAM Jupiter’s role-based administration features to support a more comprehensive role-lifecycle management.


� Beta Agilizer 4Security: Beta Agilizer 4Security is an administration tool that integrates the managementaspects of all the tools mentioned above as well as all the other security aspects of an organization’s ITsystems. It enables the administration and provisioning of services in existing portals, workflows andService Oriented Architecture (SOA) platforms and provides a customizable self-service function thatcan be rolled out to end users.

Beta Systems Software AG Beta Systems Software Ltd.

Alt-Moabit 90d Unit 8, Diddenham CourtD-10559 Berlin Lambwood Hill, Grazeley, ReadingGermany Berkshire, RG7 1JS, UK

Tel: +49 (0)30 726 118 0 Tel: +44 (0)1189 885175Fax: +49 (0)30 726 118 800 Fax: +44 (0)1189 884899


www.betasystems.com

BMC

Company profile

BMC Software, founded in September 1980, has grown both organically and by acquisition. Its notableacquisitions include PATROL in 1994, BGS Systems in 1998, both Boole and Babbage and NewDimension Software in 1999, Perform SA in 2001, Remedy in 2002, Marimba in 2004, Identify SoftwareLtd in 2006, ProactiveNet in 2007, and Tideway Systems in 2009. Its headquarters is in Houston, Texas,and its international division is based in the Netherlands. It has an extensive network of officesthroughout the world. BMC research and development offices are located in the US, France, Singapore,Israel, and India. The company is publicly traded on the New York Stock Exchange.

Product description

BMC’s Identity Management Suite consists of an extensive range of identity- and access-basedsolutions for organizational users. However, the company has lost its way as a mainstream IAMprovider and now prefers to market its identity management products as components of the BMCBusiness Service Management (BSM) offering.

BMC retains the following IAM products:

� BMC User Administration and Provisioning provides a Web-based User Administration Managementapplication and processes, and provisioning of the user accounts on target systems (with 24 differenttarget systems supported). The automated identity management, allows users to undertake tasksindependently (e.g. self-registration for access to a particular application, or requesting access toapplications via workflow-based processes that can incorporate approval steps). It adopts a self-service approach that allows costs and delays to be minimized within business processes. It alsosupports auditing every action within the identity management suite, including password resets, loginattempts, and requests for access to applications.

� BMC Password Management enables passwords and related processes (including resets) to bemanaged. Integration with the ‘Remedy Help Desk’ solution allows tickets to be raised, and is oftenused to log automatically all password reset requests, and enable users to track the progress of theirreset request.

� BMC Audit and Compliance Management is typically used by compliance officers who need visibilityinto the organizational identity and access management functions to see which resources andapplications every user has access to, and also view what applications users should not access (oftenwith reference to users’ roles). It provides the ability to link the audit of access events with the trackingand trending of access policies, to create a cycle of continual governance and improvement in controls.Organizations can develop their own policies to manage access to applications and resources, and anyattempted unauthorized actions can be flagged and prevented. A dashboard is provided to give a viewof who has access to what and what each user is doing from an application perspective.


� BMC Access Management provides role-based access control to Web-based applications andresources. It uses a single interface to enable administrators to manage access rights for identities.

� BMC Federated Identity Manager can relate, and determine the value of, identity information fromdifferent stores, which typically are used by different organizations. It enables users to navigateseamlessly through different domains of resources. The product supports a broad range of prevalentstandards (SAML, Liberty ID-FF, WS-Federation, and Shibboleth), and may be implemented eitherin a closely-integrated fashion with BMC Access Management, or completely independently.

Workflow is available throughout Identity Management Suite, and tasks can involve functions from morethan one of the modules. Workflow tasks are sent to users by automated processes via e-mail, userstherefore do not need a client implementation on their desktop to manage the workflow task.

BMC’s Identity Management Suite solution is strongly integrated with some of the products from BMC’sBSM portfolio, such as its CMDB; service desk; incident, problem, and change management; andcompliance assurance offerings.

BMC Software, Inc. BMC Software

2101 City West Boulevard Assurance HouseHouston Vicarage Road, EghamTexas 77042-2827 Surrey, TW20 9JYUSA UK

Tel: +1 (713) 918 8800 Tel: +44 (0)1784 478000Fax: +1 (713) 918 8000 Fax: +44 (0)1784 430581

www.bmc.com

Courion

Company profile

Courion Corporation was founded in 1996, and was among the first companies to bring the self-serviceconcept to identity management. The company is privately held, and is backed by several premierventure capital organizations that are part owners. The company has around 100 employees and itscustomer base ranges from large enterprises to medium-sized companies, with implementationsranging from 500 users to 350,000 users (averaging 20,000 users). Customer organizations includeglobally recognized names such as Boeing, Office Depot, and GE. Of the Fortune 500 membercompanies, over 60 are Courion customers (as are over 20 of the Fortune 100 list). Among its keycustomers in the European market are O2, the Belgian bank KBC, GlaxoSmithKline (which has a globaldeal with Courion), Switzerland’s Federal Dept. of Home Affairs, Egg Financial, Capgemini, andPricewaterhouseCoopers. The company has recently moved its headquarters to Westborough, Mass,and has sales offices in four other US locations, in addition to a UK-based international headquartersin Manchester, UK.

Product description

Courion’s Access Assurance Suite version 8.0 (formerly known as the Enterprise Provisioning Suite) isaimed at simplifying user provisioning, role management, access compliance and passwordmanagement. It consists of the following products which are usually used together, but can be deployedseparately:

� PasswordCourier: an automated self-service password management product that enforcespassword policies, and enables users to reset and synchronize their own passwords on enterpriseand Web applications.

� AccountCourier: a user provisioning and account management product that allows the definition andautomation of business processes for the complete provisioning lifecycle.

� ProfileCourier: a self-service, profile-management utility that enables users to register and maintainpersonal data within existing corporate directories and security databases.


� CertificateCourier: an automated provisioning solution for digital certificates, providing self-servicecertificate registration and recovery for existing PKI.

� ComplianceCourier: automates the review process of user access rights for verification,management, and reconciliation, pushing accountability out to the most appropriate parties; it alsoprovides employee policy-awareness testing that integrates with automated provisioningmanagement. The existing ComplianceCourier capability deals with the ‘Segregation of Duties’concerns that arise out of the US SOX legislation.

� RoleCourier: automates the process of creating and managing roles as well as enforcing a policy-based role management approach that effectively maps the access rights of user groups to theircorresponding business function.

� Sensitive Data Manager: integrates ComplianceCourier with Symantec DLP to enable organizationsdiscover sensitive data, and capture details of user access to it, to verify if that access is appropriate.

� User Activity Manager: a solution that is capable of integrating identity data with reports and alertsgenerated by various security information and event management (SIEM) solutions and log filemonitoring. The ability to also monitor user activity allows filtering out and identifying the usersperforming inappropriate activities with the accessed data. Courion utilizes a SIEM integrationarchitecture that is vendor-neutral i.e. it is flexible enough to combine data from any SIEM vendor orlog file.

� Compliance Manager for file shares and SharePoint: ensures that all user file access is aligned withthe organization’s security policies and industry regulations. It ranks files according to their risk level,based on which organizations can profile the user access settings. Administrators can identify userviolations of corporate security policy in SharePoint environments. The solution comes with out ofthe box policy definitions, which can also be customized to meet specific requirements.

The company complements its product set with professional services. These services include theAccess Assurance Workshop, Capacity Planning, Identity Mapping, and Self-Service Attainmentprograms. Part of the Self-Service Attainment program is a personalized Knowledge Base thatfacilitates end-user adoption of self-service applications.

Worldwide Headquarters EMEA Headquarters

Courion Corporation 3000 Aviator Way1900 West Park Drive, 1st Floor Manchester Business ParkWestborough, MA 01581-3942 Manchester, M22 5TGUSA UK

Tel: 866 COURION / 508 879 8400 Tel: +44 (0)161 2661094Fax: 508 366 2844 Fax: +44 (0)161 2661393

www.courion.com

Cyber-Ark

Company profile

Founded in 1999, Cyber-Ark is an information security company that specializes in protecting andmanaging privileged users, applications, and highly-sensitive information. Cyber-Ark has a customerbase of around 700 global customers, including more than 35% of the Fortune 50 and seven of the tenlargest banks worldwide. Cyber-Ark is headquartered in Newton, Massachusetts, and also has officesand authorized partners in North America, Europe and Asia Pacific. Cyber-Ark Software is privately heldand backed by venture capitalists, including Jerusalem Venture Partners, Seed Capital Partners (aSOFTBANK Affiliate), JP Morgan/Chase Partners and Vertex Management.


Product description

Cyber-Ark through its Privileged Identity Management (PIM) Suite provides a unified policy-basedsolution that provides security monitoring, and management services for privileged user accounts andtheir related activities. The suite controls user access to privileged accounts based on user credentials,monitors and records privileged user sessions, streamlines policy management, integrates withenterprise systems, and helps organizations adhere to the identity management related audit andregulatory requirements. Cyber-Ark provides multiple security layers including VPN, file access control,encryption, authentication, and firewall protection.

The PIM Suite consists of the following modules:

� Enterprise Password Vault (EPV): This module uses Cyber-Ark’s patented Digital Vault Technologyto securely manage and automatically change and log all privileged account activities. The moduleis capable of supporting a wide range of platforms including over 50 operating systems, databases,firewalls, network devices, business suites and key systems. EPV allows integration with anorganization’s existing help desk and ticketing systems, and includes a dashboard that allows usersto create personalized views of all managed devices and privileged accounts. EPV provides theability to automatically reconcile passwords without any kind of human intervention. In terms ofautomatic user provisioning, EPV utilizing the enterprise directory automatically provisions andmanages all privileged account changes.

� Application Identity Manager (AIM): This module centrally stores and manages all highly sensitiveuser and application passwords from within the Digital Vault thereby eliminating the need for storinghard-coded embedded credentials in applications, scripts or configuration files. AIM ensures that allcredentials get secured and automatically managed and stored within Application Server Data-Sources and also supports changing passwords on demand.

� Privileged Session Manager (PSM): This module helps capture all user actions in detail, includingkeystroke actions and mouse movement. Every action the user undertakes after gaining access toa target system is monitored and recorded, and user sessions can be viewed later. All recordedsessions are archived and can be searched and retrieved based on user, system, and dateparameters. The module enables organizations to enforce secure access control and session controlfor third-party access. It allows users to log on to the PIM portal using two-factor authentication.

� On-Demand Privileges Manager (OPM): A unified solution that enables organizations to monitor aswell as manage super-users and privileged accounts, OPM also provides a centralized reportingengine that is capable of providing unified and correlated audit logs. All account usage including the‘root’ users on UNIX can be setup and controlled based on pre-defined granular access controlmechanisms. The module can seamlessly integrate with SIEM products and also with anorganization’s existing enterprise infrastructure.

Cyber-Ark PIM suite utilizes a Central Policy Manager engine that allows automatic management andenforcement of all privileged account management policies on local or remote networks across theenterprise, without the need for human intervention.

Corporate Headquarters UK Sales Office

Cyber-Ark Software, Inc. Cyber-Ark Software (UK) Ltd.57 Wells Avenue Abbey HouseSuite 20A 1650 Arlington Business ParkNewton, MA 02459 Theale, Reading, RG7 4SAUSA UK

Tel: +1 (888) 808 9005 or (617) 965 1544 Tel: +44 (0)118 9298430Fax: +1 (617) 965 1644

www.cyber-ark.com


Fox Technologies

Company profile

Founded in 2005, FoxT provides Identity and Access Management solutions. The company is privatelyheld and headquartered in Mountain View, California, with development centers in Sweden and MountainView and sales offices in several countries. FoxT serves Global 1000 customers in 32 countries.

Product description

FoxT ServerControl is a role and agent-based solution supported by central policy-management facilitiesthat improve the security of operating systems in enterprise server environments by strengthening thecontrols over privileged-user access. The FoxT security database is the core component of the solution –it acts as the central repository that holds the entire database of user accounts, credentials, access rights,encryption keys, host identities, and related data in the managed network. Administrators manage therepository via either a graphical user interface (GUI), or by using a command-line interface (CLI).

The solution also supports encrypted remote administration through a browser, and administratoraccess is restricted to specific named users and to specific hosts from within or outside the controlleddomain. The BoKS Manager provides the security server platform for the FoxT ServerControl. FoxTServer Agent is the server software that is installed on each UNIX, Linux, or Windows Server host toprovide the solution’s privileged-user protection and security services, ensuring that every user-accessrequest follows the settings that have been pre-set in the security database.

The FoxT ServerControl functions as follows:

i) When a user attempts to login to an operating system protected by the server agent, the login requestis sent to an available authentication server, either the master or replica server.

ii) Once the server receives the login request, it compares the security database settings to identify theauthorized access route. This specifies how, from where, and when, a particular user or user group isallowed to access a resource. The client then sends a further request for a user name to theauthentication server. The server agent communicates with the master (or more typically a replica) serverto obtain any additional authentication details that might be required and are held in third-party systems.

Apart from storing all event logs in the master server, ServerControl captures and records all useractions in detail, including keystrokes, mouse movement, and any other associated input by using itsinbuilt keystroke-logging function. The system also controls the setup and use of configured warningmessages, which are displayed whenever a user violation takes place. The solution supports a varietyof strong third-party authentication solutions to provide additional authentication for data and systems.The authentication capabilities that can be configured include physical devices such as RSA SecurIDtokens, SafeNet SafeWord tokens, public key technologies such as certificates, PKI smartcards or USBtokens, secure shell (SSH) Public Key, SSH Host based, and SSH Certificate authentication. Thesolution also supports integrated SSH, which is a multi-service protocol that helps establish a secureencrypted communication channel between two computers.

FoxT ServerControl provides flexible provisioning facilities. It allows administrators to provision useraccounts across multiple servers running on diverse operating systems. The product integrates readilywith existing corporate directories and identity management systems. FoxT ServerControl controls thecentral management of access policies (definition and enforcement) across all heterogeneousenvironments via a single web-based administration console. A key component of FoxT ServerControlis the FoxT Password Vault, which is an add-on module that can be installed on the BoKS ManagerMaster server. It can be remotely managed and operated from any configured client through an internetbrowser. Password Vault enables organizations to manage specific pre-defined privileged accounts,configure access controls, and manage logouts of multiple similar password sessions.

FoxT ServerControl provides extensive reporting and auditing capabilities, and maintains searchablelogs with details of all user activities. FoxT Reporting Manager, an additional product, can group auditand compliance reports into a consolidated view of all access-control policies and data across securitydomains.


FoxT Headquarters FoxT EMEA

883 North Shoreline Blvd. 200 Brook DriveBuilding D, Suite 210 Green Park, ReadingMountain View CA 94043 Berkshire, RG2 6UBUSA UK

Tel: +1 (650) 687 6300 Tel: +44 (0)1189 497664Fax: +1 (650) 618 0332 Fax: +44 (0)1189 497001

www.foxt.com

Imprivata

Company profile

Imprivata is a prominent vendor in the field of Identity-based user authentication solutions. Thecompany was founded by experts in the identity management and biometric fields of IT security, andhas worked on and deployed a number of large-scale digital identity and authentication projects.Imprivata is a private company with funding provided by Polaris Venture Partners, Highland CapitalPartners, and General Catalyst Partners. It has corporate headquarters in Lexington, Massachusetts inthe USA, and also operates out of San Francisco. Internationally, the company has offices in Watfordin the UK, Antwerp in Belgium, Milan in Italy, and in Singapore. The company has over 800 customers.

Product description

The company’s OneSign product is an appliance-based solution that provides authentication, SSO andphysical/logical access capabilities. These capabilities are packaged as individual modules and aredelivered from within the same self-contained appliance, which has a hardened Linux kernel and anOracle 10g database, and is purpose built for user authentication.

The Imprivata OneSign appliance has been designed to provide an SSO environment with strong userauthentication when users request access from mobile, remote, and LAN access channels. They canswitch between sessions on concurrent Windows machines. The product is capable of dealing with userlogin requests that are initiated using an extensive range of password, biometric, proximity card,smartcard, USB token, and ID token approaches.

Three main components form the Imprivata OneSign product set, and they collectively provide a singleauthentication management solution for securing electronic systems, networks, and applications, aswell as for integrating with authentication events of physical access for buildings. These are:

� OneSign Authentication Management (AM): provides a range of network authentication services thathave been designed to enable organizations to improve the security of their systems by moving onfrom the less secure passwords. OneSign AM supports the use of strong authentication options suchas smartcards, tokens, proximity cards, and biometrics in order to deliver strong user authentication.The Imprivata OneSign appliance contains a built-in Remote Authentication Dial-In User Service(RADIUS) host for remote access authentication, and the solution is supported by a singleadministration point-of-control that provides easy deployment and management controls. Furthermore,the Imprivata OneSign solution supports emergency access authentication requirements that arealigned with the organization’s access control policies. End users who forget their strong authenticationdevices can be granted a controlled number of ‘emergency logins’ per month.

� OneSign Single Sign-On: provides application management services to enable setting up each end-user system and application to be SSO ready. The OneSign Single Sign-On product is able toachieve this without requiring modifications to be made to any application; the approach insteadinvolves invoking the use of the Single Sign-On Application Profile GeneratorTM (APG) facility,which is an internal component of the OneSign Single Sign-On product. This facility is used to builda sustainable and unique profile for each application in order for SSO access status to be granted.This module can identify and learn application login behaviour and automatically capture thisinformation. The solution integrates with leading provisioning systems through a standards-basedServices Provisioning Markup Language (SPML) interface.


� OneSign Physical/Logical: this component provides converged access control security facilities fororganizations to make use of integrated network and building access systems for unified enterprisesecurity management. Using OneSign Physical/Logical, organizations can create convergedsecurity policies that cover both physical and IT access requirements. This enables organizations togrant or refuse network access based on a user’s physical location or employee status. It providesa smartcard and token-agnostic approach that will interoperate with an organization’s existingphysical access systems.

Working using a single common user interface, the Imprivata OneSign appliance delivers high levels ofidentity and authentication control. Its integrated appliance platform format provides a number ofadvantages such as the common user interface between product components, common workflowprocesses, and common reporting services.

Imprivata, Inc. EMEA Headquarters Imprivata, Inc.

10 Maguire Road Forsyth HouseBuilding 4, Lexington 77 Clarendon RoadMA 02421-3120 Watford Herts., WD17 1LEUSA UK

Tel: +1 (781) 674 2700 Tel: +44 (0)1923 813511Fax: +1 (781) 674 2760 Fax: +44 (0)870 4282554

www.imprivata.com

Passlogix

Company profile

Passlogix was founded in 1996, and was a privately held company until acquired by Oracle in October2010. It is headquartered in New York City, and has development offices in Amityville, NY, and salesoffices throughout the USA, and in the UK and Hong Kong. The company has customers from a numberof verticals including Manufacturing, Financial Services, Healthcare, Telecom, Retail, Oil/Gas, National,State and Local Governments and has sold more than 15 million licenses for its v-GO solution.

Product description

The Passlogix v-GO Access Accelerator Suite for Identity and Access Management includes thefollowing components:

� v-GO Single Sign-On: v-GO Single Sign-On Platform is a family of products aimed at providingenterprise-strength SSO and complementary offerings that provide integration with facilities thatcater to other IAM requirements, such as provisioning, and additional login-related facilities for theWindows environment. These complementary offerings include v-GO Self Serve Password Reset,v-GO Authentication Manager, v-GO Provisioning Manager, and v-GO Session Manager.

� v-GO On-Demand Edition: the v-GO On-Demand Edition is similar in terms of functionality to the v-GO SSO; the only difference being the fact that it is accessed from a host Web site. v-GO OnDemand Edition can be administered from outside the installation and enables the end user toaccess SSO functionality from anywhere across the enterprise.

� v-GO Shared Accounts Manager (v-GO SAM): provides secure access to systems and applicationsfor administrators, temporary workers, and others who must share account IDs. It enables sharedcredentials to be securely stored and retrieved, with the required authorization and usage trackingto improve security, increase accountability, and reduce compliance exposure.

� v-GO Session Manager (v-GO SM): helps avoid security risks that arise from the use of kiosks. It isdesigned to cater for mobile users, by providing automated termination of inactive sessions andapplication shutdown.

� v-GO Provisioning Manager (v-GO PM): handles application credential provisioning automatically; itprovides APIs to integrate automatic provisioning with existing workflows and scripts, and connectorsto integrate with leading provisioning platforms including those from IBM, Sun, BMC, and Oracle.


� v-GO Universal Authentication Manager (v-GO AM): enables authentication requests to besupported by a broad variety of smart cards, biometrics, and tokens. Use of multiple authenticatorsis supported, including the definition of a fall-back state in the event that one fails. v-GO AM alsodefines authentication levels so that application-based rights can be adjusted depending on thenature of authentication used.

� v-GO Self Service Password Reset (v-GO SSPR): provides an additional layer to the normalWindows logon panel for end users – it extends the panel so that the user can reset his or her ownWindows password. Integration with Windows authentication and administration ensures that this iscontrolled within the overall Windows framework.

Headquarters EMEA Office

Passlogix, Inc. The City Arc75 Broad Street, Suite 815 89 Worship StreetNew York, NY 10004 London, EC2A 2BFUSA UK

Tel: +1 (212) 825 9100 Tel: +44 (0)20 79172754Fax: +1 (212) 825 0326

Ping Identity

Company profile

Ping Identity provides organizations with commercial IAM solutions and is primarily focused on the areaof Federated Identity. Founded in 2002, and headquartered in Denver, Colorado, Ping is a privately heldcompany and has over 100 employees worldwide. The company also has offices in Boston,Massachusetts and Vancouver, Canada. Its current customer base is over 350, and includesenterprises, government agencies, software-as-a-service (SaaS) vendors and online service providersworldwide.

Product description

Ping Identity’s software comprises of products that cater for the various Federated Identity Managementstandards (SAML, Liberty ID-FF, and WS-Federation), and the CardSpace authentication module. PingIdentity has two key solutions namely: PingFederate and PingConnect, and both these solutions helporganizations overcome IAM related issues for their SaaS implementations.

PingFederate provides organizations with a standards-based software solution that enablesmanagement of all external identity connections. Supported connections could range across customers,SaaS or BPO providers, partners, affiliates, etc. The solution helps organizations to implement webSSO and identity-enabled web services connections. It also provides multi-protocol support andautomated user provisioning capabilities. The key capabilities of PingFederate include:

� Web SSO – PingFederate allows users to sign on only once at the primary network access point.Based on this users can seamlessly achieve access across other authorized web-based businessapplications without necessarily requiring additional password authentication. PingFederate alsoautomates internet user account setup, update, and removal services, with the intention ofeliminating unauthorized access. Its Advanced Security Token Service capabilities are used toenhance identity sharing across security domains in a secured manner. PingFederate also supportsidentity mapping, account mapping and account linking. PingFederate also provides flexible,integrated support for all versions of the SAML protocol (1.0, 1.1 and 2.0), as well as WS-Federation.

� User Provisioning – PingFederate has the capability to directly integrate with all existing corporatedirectories to automate the lifecycle elements of account creation, updating, and deletion.

PingFederate allows administrators to control identity management through the GUI-basedadministration console. The console can be accessed by users based on their roles, thus limiting certainspecific tasks to selected users. Authenticated access to the Administrator Console can be configuredby directly linking with the LDAP data store and can optionally be secured using X.509 certificates.


PingConnect – The PingConnect solution manages the integration of an organization’s existing useridentities, which are typically within Microsoft’s AD, or another LDAP repository, with any of over 60leading SaaS offerings (e.g. Salesforce CRM, Google Apps, ADP, Cisco WebEx, Rearden Commerce,and Concur). PingConnect is cloud-based and, very importantly, provides dynamic integration with themain identity source (whether this is on AD, another LDAP source, Google, or salesforce.com). Thismeans that no replication of the customer organization’s user identities is required (avoiding privacyissues), new users can gain access instantaneously, and users leaving the organization areimmediately prevented from continuing to use their access rights. A user’s log-on from salesforce.comor Google can also be the key used to access these services, a feature that is especially helpful forsmaller organizations, many of whom have adopted SaaS-based offerings as their main IT platform forsignificant business processes such as sales and collaboration.

Denver (Headquarters) Boston

1099 18th Street 230 3rd AveSuite 2950 6th FloorDenver, CO 80202 Waltham, MA 02451USA USA

Tel: +1 (303) 468 2900 Tel: +1 (781) 373 4850Fax: +1 (303) 468 2909 Fax: +1 (781) 547 4017

www.pingidentity.com

Pirean

Company profile

Founded in 2002, and headquartered in United Kingdom, Pirean delivers technology partnerships andconsultancy services for Infrastructure, Service and Security Management platforms utilizing IBMtechnologies. The company is privately held and has 70 employees. Pirean is ITIL compliant, with allstaff qualified to ITIL foundations level; the company also has accredited consultancy status with theBritish Standards Institute (BSI). Pirean’s accolades include the IBM ‘Business Partner InnovationAward’ (2008) ‘Beacon Award Finalist – Outstanding Service Management Tivoli Solution’ (2009) andthe IBM Tivoli Business Partner Service Management Solution Award (2010).

Product description

Pirean’s Access: One provides identity, access and audit management for multiple systems, infrastructuresand security services.

Access: One is a zero-touch user management system for seamless integration with the existing userrepositories and access controls. It removes the need for organizations to provision and synchronizewith a separate access management module. Access: One also supports a range of authenticationmechanisms and user repositories, including support for real-time user authentication, irrespective ofthe number of multiple authentication sources required (for example multiple AD occurrences andWindows Domains). It supports the management of all authentication and authorization definitions andpolicies through a centralized management console. The product also allows organizations to add SSOcapabilities which can be strengthened through a range of additional secure, multi-factor authenticationmechanisms. The Access: One solution also supports extending Tivoli Access Manager (TAM)infrastructures across other IAM solutions such as ActivIdentity, Cryptomathic, Entrust, Gemalto, RSA,Vasco, and VeriSign utilizing out-of-the-box accelerators.

Compliance: One is a continuous controls monitoring solution. It is largely seen as a solution that canbe used to extend IBM TIM deployments for large scale production environments, as it providesautomation of all business controls. Pirean claims that the company is the most accredited IBM Tivolibusiness partner and its Access: One product is available ready for all IBM Tivoli implementations.Compliance: One complements Access: One deployments, and consists of a risk-based framework andan attestation engine that allows organizations to flexibly and readily monitor and manage all useraccess rights across the enterprise.


Compliance: One allows application access roles to be defined, and provides an easy-to-use interface forhandling access rights, certification tasks, and SME-based certification. The product also providesorganizations with the ability of generating reports on user access data. It is also capable of identifyingthose accounts to which there is no associated owner and marks them as high risk which can result in theinitiation of a quarantine workflow and account de-provisioning. Using the product’s rules engine allowsorganizations to implement a risk scoring framework to support access and user provisioning decisions.

Hampshire (Head Office) London Office

Pirean Limited Pirean LimitedFaretec, Cams Hall Estate One Canada SquareFareham, Hants, PO16 8UY London, E14 5DYUK UK

Tel: +44 (0)845 2260542Fax: +44 (0)845 2262742

Red Hat

Company profile

Red Hat is a provider of open source software solutions for enterprise. These include the core enterpriseoperating system platform – Red Hat Enterprise Linux; the enterprise middleware platform – JBossEnterprise Middleware; virtualization solutions, and other Red Hat enterprise technologies. The companyoperates primarily in the US, is headquartered in Raleigh, North Carolina and employs 2,800 people.

Red Hat made a series of acquisitions before entering the IAM marketplace; these include Netscape’sDirectory Server and Certificate System from AOL in 2004, based on which Red Hat open sourced thedirectory server in 2005 and the certificate server in 2008. These two projects form the foundation ofthe FreeIPA (identity, policy, audit) project, launched in June 2007 and are responsible for building thecommunity edition of Red Hat Enterprise IPA (RHE-IPA), which was launched in June 2008, with thecore objective of building a full grown IAM solution.

RHE-IPA’s launch overlapped with another acquisition; this time of the identity integration provider –Identyx, and the open sourcing of RHN Satellite. RHE-IPA is focused on providing a holistic IAM solutionthat covers both Web-based systems (such as a customer-facing portal) and Operating Systems. Froman OS point of view, it aims to replace the standard Network Information Service (NIS) Unix tool (tomanage user, group and machine authentication and authorization), hence the acquisition of Identyx,whose open source Penrose virtual directory helps users to migrate from NIS to the more robust,feature-rich (and revenue generating) RHE-IPA. Penrose helps to identify and resolve conflicts andenables a phased migration rather than a ‘big bang’ approach.

FreeIPA’s initial version was focused on pure identity management and authentication. It consisted of anMIT Kerberos 5 server combined with a Fedora directory server back-end to set up a centralized identitymanagement solution, using the directory as the username and password store and Kerberos forauthentication and SSO. RHE-IPA also included features such as multi-master replication and support foronline backups, updates and configuration changes to ensure that RHE-IPA services are available on a24×7 basis. FreeIPA reached version 1.2.1 in December 2008; and its next release (Version 2.0) is aimedat enabling administrators to centrally manage a broad set of functionalities (such as access control policy,SE Linux policy, etc.) and apply different policies based on machine group, location, user and more.Version 2 will also focused on delivering support for delegated administrator controls and centrallymanaged system lockdown state. For auditing, this version is expected to provide organizations with theability to centrally collect and analyze logs and events and extract management and compliance data.

Product description

Red Hat’s venture into the identity and access management arena is based on the FreeIPA (Identity,Policy, and Audit) also known as Red Hat Enterprise-IPA offering. FreeIPA is basically a Red Hatsponsored open source project that helps organizations manage identity, policy and audit (IPA) informationthrough its integrated suite. It is primarily targeted towards networks of Linux and UNIX computers.


Red Hat Directory Server: is an LDAP-compliant server that helps centralize all user profiles, groupdata, policies, access control information, and related application settings, under a single network-based registry. This single repository store of all policies and access information ensures thatadministrators can rely on a single directory and single authentication source for all user access acrossenterprise or extranet applications. The Directory Server supports SSO access and also providessupport for 64-bit Red Hat Enterprise Linux, HP-UX and Solaris platforms.

Red Hat Certificate System: provides a security framework that works towards managing certificatecreation, renewal, suspension, and revocation activities. It also manages single and dualkey X.509v3certificates that are required to handle strong authentication, SSO, and secure communications. TheRed Hat Certificate System functions as an authentication system that helps organizations manageuser access to resources and data. The Certificate system supports deploying and maintaining a PKIthat helps manage user identities in an effective manner. The system can also integrate seamlessly withthird-party security software and existing applications through published APIs.

FreeIPA/RHE-IPA are Linux- and Unix-centric, which somewhat limits their appeal among end-usercustomers. In terms of provisioning, while Version 1 of the product provides basic Microsoft ADsynchronization (user identity information and, optionally, password); Version 2 will enable identitymanagement and authentication from one environment. Merging the product with Penrose also makesit even more flexible for RHE-IPA to deliver a unified view of identity across multiple sources, includingLDAP, NIS, AD and other databases. The offering also links with JBoss workflow technology,strengthening its overall ID provisioning capabilities.

Red Hat Corporate Headquarters Red Hat EMEA Headquarters1801 Varsity Drive Technopark II, Haus CRaleigh, North Carolina 27606 Werner-von-Siemens-Ring 11-15USA 85630 Grasbrunn, Germany

Tel: +1 (919) 754 3700 Tel: +49 89 205 071 0Fax: +1 (919) 754 3701 Fax: +49 89 205 071 111

www.redhat.com

SailPoint Technologies

Company profile

SailPoint provides identity governance solutions. Founded in December 2005, the company is privatelyheld and is headquartered in Austin, Texas. Its investors include Austin Ventures, Lightspeed VenturePartners, Origin Partners, and Silverton Partners. Its customers include Global 1000 and Global 500companies including five of the world’s top 10 banks, three of the industry’s top insurance companies,two of the top three managed-healthcare providers in the US, and some of the largest consumer,manufacturing, and telecom companies in the world. Reference customers include ABN Amro, AllianzSE, Brightstar, Burlington Northern Santa Fe Railroad, Citizens Bank, Intuit, and Tokyo Electron.

Product description

SailPoint Identity IQ v4.0 is a risk-based identity-governance solution for managing user access tocritical business systems and the data that they contain. It uses a single-repository approach, toconsolidate identity and access data into a single location, and provides extensive reporting services.Associated capabilities include the formalization and automation of key identity and accessmanagement processes such as access certification, role management, access request management,and compliance management. Also included are tools for modeling the organizational hierarchy and fordefining roles that will be used to classify access rights.

SailPoint IdentityIQ comprises four key components:

� IdentityIQ Identity Intelligence: facilitates the transformation and consolidation of all technical andapplication-specific identity data items into a form that is suitable for business users. It allowsorganizations to link their application-specific identities and access privileges. The dashboards canbe further customized to enable authorized users to access reports according to identity-relatedmetrics. The Identity Intelligence module also provides risk analytics and monitoring capabilities.


� IdentityIQ Compliance Manager: delivers automated compliance processes and is an integrated partof the solution’s risk services. Two key sets of tasks can be executed through the ComplianceManager: the automation of processes and the receipt of reports and alerts related to the compliancestatus of the organization and all related systems-usage activity. Importantly, Compliance Manageris used to define and enforce policies that are based on organizational needs as opposed totechnology constraints; the Compliance Manager automatically scans and detects policy violationsand supports defined separation-of-duty policies based on roles and access privileges.

� IdentityIQ Role Manager: provides automated role lifecycle management. It enables a defined,automated, and technology- and application-agnostic approach to the creation, modification, anddeactivation of roles.

� IdentityIQ Access Request Manager: centralizes the management of all access requests byproviding a workflow-based self-service interface that automates the approval process once arequest has been submitted. IdentityIQ self-service interfaces provide business users with a filteredoption that allows them to modify or request certain types of access according to roles and policy.

IdentityIQ uses its aggregation and correlation engine to associate and bring together all linked datausing a rules system, which stores the data in ‘identity cubes’ – a multi-dimensional representation ofeach user offering insight into their attributes, business roles, and access rights. The aggregated datais used to build a complete organizational picture of who has access to which systems and applications,and the levels of access provided for each application.

The solution defines risk levels for every user based on their access rights and how they are beingused. For example, a user with privileged access to applications that hold identifiable customer oraccount information could be flagged as a high-risk user. IdentityIQ also provides a graphical userinterface for defining roles that is equipped with modeling tools to map complex organizationalhierarchies and other business structures. The volume of business and user-relevant informationavailable through reports is extensive, and the its Business Context Framework extends its reportingfacilities to provide an entitlement glossary and usage tips.

SailPoint Technologies Inc. SailPoint Technologies Inc.

US/Corporate Headquarters European Headquarters6034 W Courtyard Drive 145-157 St John Street, 2nd FloorSuite 309 Austin LondonTexas 78730 EC1V 4PYUSA UK

Tel: +1 (512) 346 2000 Tel: +44 (0)845 2733826Fax: +1 (512) 346 2033

Email: [email protected]

www.sailpoint.com

SAP

Company profile

SAP is a recognized leader in the enterprise application market, having established its reputation on theback of its integrated R/3 Enterprise Resource Planning application suite. It is headquartered inWalldorf, Germany, and was founded in 1972. The company has sales and development locations inover 50 countries, and approximately 51,000 staff serving around 82,000 customers in 120 countries.Although SAP states that over 80% of Fortune Global 500 enterprises use its products, and largeenterprises form a substantial part of its market, the company is increasingly targeting the mid-market.SAP is known for its process expertise, particularly in vertical industries, and has solutions for 25different industries ranging from aerospace and defense to wholesale distribution. SAP is a publicallylisted company trading on multiple exchanges including the Frankfurt Stock Exchange and the NewYork Stock Exchange under the “SAP” symbol.


Product description

The NetWeaver Identity Management suite (SAP NetWeaver IdM) is SAP’s solution for managing useraccess across applications and for monitoring adherence to audit and compliance requirements. SAPNetWeaver IdM uses a role-based mechanism for provisioning users, and also supports all relatedprocesses such as password management, self-service, and approvals workflow. All of SAP NetWeaverIdM’s capability is delivered as an integrated, open platform component which easily facilitates all of theaccess and identity information that is appropriately linked with systems, web services, and businessprocesses. Also, the product is capable of working not just with SAP applications – it integrates withsystems and applications across a heterogeneous landscape.

The major capabilities of SAP NetWeaver Identity Management include:

� Identity virtualization – provides an integrated, unified view of all users’ virtual identity, allowingorganizations to leverage existing identified identity information and access rights across the entirenetwork.

� Data synchronization – ensures that if the user makes any changes to key information in oneapplication, this is transformed and propagated accordingly to all other related applications as well,thus ensuring data consistency.

� Provisioning, workflow, and approvals – is driven by business rules and definitions of associatedpolicies. It aligns with access controls and maintenance of user access rights across the systems.SAP NetWeaver Identity Management streamlines the user provisioning process across SAP as wellas other third-party applications through a certifiable connector framework. This connector-basedframework enables the product to support LDAP directories and JDBC databases, it supportsapplications such as Microsoft AD, Microsoft Exchange, and IBM Lotus Notes. SAP Netweaver IdMuses a workflow module that enables organizations to set up workflows for all account managementactivities which includes account creation, modification, deactivation, and deletion.

� Password management – is key feature of SAP Netweaver IdM, it provides self-service software thatallows users to manage their information through a centralized location for all connected targetsystems. It also supports self-service password reset and password synchronization capabilities.

� Roles and entitlements – SAP NetWeaver Identity Management offers role-based access controlbased on the NIST RBAC standards. Roles are assigned in alignment with business processes andusers can be assigned roles and privileges which enable secure access to various systems.

� Reporting and auditing – the product provides centralized reporting services. These enable users toproduce reports based on current access and past events. The reports enable organizations tohandle compliance, audit, and related initiatives.

All product activities are managed centrally through the identity console, and NetWeaver IdM alsoincludes a Web-based Workflow user interface that allows users to reset their password and performother self-service activities. The solution also has a monitoring interface allows administrators tomonitor logs and queue processing. It provides the ability to integrate with SAP Business Suiteapplications as well as SAP Business Objects GRC solutions.

SAP provides advanced identity management functionality services that are completely based on webservices standards. They provide a standards-based single access point for users to query and manageidentity information.

SAP AG – Parent Company SAP (UK) LimitedNeurottstrasse 1569190 Clockhouse Place, Bedfont RoadWalldorf, Germany Feltham, Middlesex, TW14 8HD, UK

Tel: +49 6227 7 47474 Tel: +44 (0)870 6084000Fax: +49 6227 7 57575 Fax: +44 (0)870 6084050


www.sap.com


Sentillion

Company profile

Sentillion Inc. provides identity and access management solutions primarily for healthcareorganizations. It has systems deployed in local, regional, and national healthcare organizationsincluding clinics, community hospitals, federal healthcare facilities, and academic teaching institutions.In February 2010, Microsoft acquired Sentillion. All Sentillion’s products have since been added to theMicrosoft’s portfolio of health solutions and the team has been merged into the Microsoft HealthSolutions Group. The Sentillion team will however continue to operate out of its offices in Andover,Mass., to sell and support its product line while Microsoft will be developing long-term evolution planscombining the two product lines. Sentillion’s context management and SSO technologies will becombined with the Amalga Unified Intelligence System – a real-time data aggregation solution, toenable Microsoft to give clinicians a real time insight into patient information.

Product description

Sentillion solutions provide SSO, user provisioning, clinical workstations and virtualized remote access.

Sentillion’s expreSSO is an appliance-based SSO solution developed specifically for the healthcaresector. It offers out-of-the-box integration options with common applications within the healthcaresector, and offers wizard-driven application connectors to enable integration with other third-partyapplications. It automatically imports user identity data and provides ongoing synchronization withenterprise directories like LDAP and AD. A centralized administration console leverages agent-basedtechnology to sense when applications are launched and generates events and audit trails thatencapsulate user activity around these applications. expreSSO offers tight integration with SentillionTap & Go, a tool that leverages proximity cards to provide secure two-factor authentication. This meansthat users can swipe their company ID cards against a card reader, and combine with it a biometric orpassword-based authentication device that has a validity period, to gain access to areas of theclinic/hospital that they are authorized to enter. Once the validity period expires, it can be reset throughexpreSSO to continue to get access to protected areas.

Sentinel proVision is the company’s provisioning tool developed specifically for the healthcare sector. Itoffers capabilities to simplify the task of provisioning users with access to computer resources. Itsupports healthcare-specific applications such as Computerized Physician Order Entry, PictureArchiving and Communications System, and their portals; administrative applications such as billingand enterprise directories; and personal productivity applications such as e-mail.

The Sentillion IdMPOWER Community is a member community for users of the Sentillion range ofproducts and provides access to an online knowledge base of best practice deployment options,troubleshooting guides, FAQs and articles. The IdMPOWER Community also contains an open sourcebridges library that provides a number of software adapters for healthcare applications that are notsupported out-of-the-box by Sentillion.

Headquarters UK Office

Sentillion, Inc. Sentillion Limited40 Shattuck Rd. 3000 Hillswood DriveSuite 200 Hillswood Business ParkAndover Chertsey, SurreyMA 01810 KT16 0RSUSA UK

Tel: +1 (978) 689 9095 Tel: +44 (0)845 0570302Fax: +1 (978) 688 2313 Fax: +44 (0)845 0570312

www.sentillion.com


Siemens

Company profile

Siemens IT Solutions and Services, a subsidiary of Siemens, provides a wide range of IT services fromconsulting to system integration, IT infrastructure management, and software engineering to industry-specific IT solutions. Siemens IT Solutions and Services acts as a shared-services center for the Siemensgroup, running projects with its parent’s core vertical units – manufacturing/industry, energy/utilities andhealthcare – and also continues doing business with external clients outside these sectors.

Product description

Siemens IT Solutions and Services, through its DirX product suite provides a set of IAM solutions . TheDirX product suite consists of the following components:

� DirX Identity: aimed at automating user and rights management, DirX Identity integrates user androle management, real-time provisioning, Web-based user self-service, request and approvalworkflows, password management, metadirectory as well auditing, and reporting functionality. Userprovisioning and access rights management activities are handled through policy engines backed bycentralized role management support. The component also provides user organizations with acentralized Java-based graphical user interface (GUI) that allows administrators to configure andmanage users and services including roles and policies, integration, synchronization, and workflowactivities.

� DirX Audit: this product provides a centralized user interface that centrally and securely stores,analyzes, correlates, and reviews all identity related audit logs, which can be used later by auditorsor security compliance officers to generate reports or perform statistical analysis. DirX Audit is madeup of the following components: DirX Audit collectors – which collects all generated audit logs fromvarious sources; DirX Audit Server – a centralized server that transforms, augments, and stores allaudit logs onto the DirX audit store; DirX Audit database – which centrally stores all audit logs; andDirX Audit Manager – a Web-based user interface that provides access to the DirX Audit databasefor auditors, users, and security officers. The module provides pre-configured reports based onJasper Reports technology, and also allows users to download the Jaspersoft iReport technologyand customize it to generate reports that meet their specific needs.

� DirX Directory: acts as an identity store for the storage of all identity credentials and allowsemployees, customers, trading partners, subscribers, and other e-business entities, to access them.The directory is also capable of centrally storing and managing other credentials such as public keysfor a public key infrastructure (PKI), and is compliant with standards such as LDAP, X.500, andDSML. The module provides control over user authentication and access to identity data and can bedefined down to the level of individual attributes in entries. Users can access the directory throughweb browsers, using the DirXweb for JSP Technology applications; via SOAP/DSMLv2 compliantclients over the DirX DSML server; through any LDAP client and LDAP-enabled application; using acommand-line administration interface; and from a Java-based management client called DirXManager.

� DirX Access: This module integrates access management, entitlement management, identityfederation, web services security, and web SSO (WSSO) in order to protect web applications andweb services from unwanted access. While, all user access is controlled by enforcing centrallymanaged role-based business security policies, DirX Access also supports the SSO authenticationmodel. The module is based on a service-oriented architecture (SOA) and provides support to allrelevant standards for authorization, federation, provisioning and web security with XACML, SAML,and SPML. The product through its reporting interface allows administrators to obtain reports in .pdfformats based on system, role hierarchy, role/policy association, user/role association, andorganizational hierarchies – thereby supporting audit and reporting regulatory compliance initiatives.

Siemens IT Solutions and Services also provide professional services for assessing customer needsand offer tailor-made solutions for their IAM needs. These services include project consulting, analysisand planning, solution implementation, maintenance, and training.


Corporate Headquarters

Siemens AktiengesellschaftWittelsbacherplatz 280333 MunichGermany

Tel: +49 89 636 00Fax: +49 89 636 34242

www.siemens.com

WSO2

Company profile

WSO2 is a provider of an open source Service Oriented Architecture (SOA) platform based on the OpenServices Gateway initiative (OSGi) component model. The company’s SOA offering provides tools forservice creation, service connection, service composition, and SOA Governance, as well as anEnterprise Service Bus (ESB) for connecting services. Headquartered in Mountain View, California,USA, WSO2 also has offices in Emsworth, UK, and Colombo, Sri Lanka. WSO2 is a privately heldcompany, it was founded in August 2005 after having received Venture Capital (VC) funding from IntelCapital. The company now has 75 employees worldwide, the majority of which are developers basedout of the Research and Development centre in Colombo. WSO2 is a key contributor to internationalstandards organizations such as World Wide Web Consortium (W3C), Open Architecture for AccessibleServices Integration and Standardization (OASIS), OpenID Foundation, Microsoft’s InteroperabilityVendor Alliance, Advanced Message Queuing Protocol (AMQP) Working Group, and oCERT.

Product description

The WSO2 Identity Server is specifically focused on handling issues around identity and entitlementsmanagement in an SOA environment. Its Identity Server is an open source identity and entitlementmanagement solution that aims to address the issue of identity and entitlements in an SOAenvironment. The solution offers the ability to issue managed information cards which are backed byuser name and password and a XACML engine to handle fine grained authorization. Registered userscan download managed information cards against their accounts, and the information contained withinthese cards can be used to validate the service requester who makes a claim to access services.WSO2 Identity Server offers support for the CardSpace default claim set as well as OpenID for multi-factor authentication. An inbuilt audit trail and activity log shows user activities over publishedresources. The Identity Server’s management console provides administrators with a dashboard formonitoring user accounts and issuing information cards and/or OpenID tokens.

WSO2 Identity Server supports XACML 2.0 services and provides policy based fine grainedauthorization by allowing XACML policies to be defined within the WSO2 Identity Server’s Policyadministration point. WSO2, utilizing the ESB as a policy evaluation point enforces runtime governanceon services by tracking the access policy from the identity server’s policy decision point through anentitlement mediator. The key components and functionalities of WSO2 Identity server are as follows:

� User manager component – decouples user attribute handling from the upper layers to facilitateclaim based access onto the underlying user store.

� Security Token Service – helps organizations issue claim-based Security Tokens, as well as map allassociated user attributes that enables identity federation.

� Identity Provider – allows flexible handling of all Information Card and OpenID based logins.

� XACML engine – drives all authorization decisions based on policies.

WSO2 Identity Server allows central management of all administrative configuration activities throughits management console. It can be deployed over AD/LDAP/JDBC existing user stores and is also builtwith the aim of easily fitting into an existing SOA environment. WSO2 Identity Server is provided underthe open source Apache license.


WSO2, Inc.

800 West El Camino Real Suite180 Mountain ViewCA 94040USA

Tel: +1 (408) 754 7388Fax: +1 (408) 689 4328

www.ws02.com



WWW.OVUM.COM

CHAPTER 9:

Glossary


OVUM

CHAPTER 9: GLOSSARY 225511

Access control

Controls which systems authorized users can visit and what they are allowed to do once there.

Access control list (ACL)

A table that controls what access rights each user has.

Analytics

Programming, technology-related processes and business-related processes that gather, store andinterrogate data to enable informed decisions to be made.

The American National Standards Institute (ANSI)

An organization that develops and maintains technology standards in the US.

Application server

A layer of software that provides a scalable link between web applications and back-end applications,and typically offers features such as security, clustering and failover, and load balancing.

Application programming interface (API)

An approach that enables application programs to make requests to an O/S or to another program.

Authentication

The identification of prospective systems users and a method for determining if someone or somethingis who or what they claim to be.

Authorization

The provision of control over what authenticated users can do.

Business-to-business (B2B)

How a business communicates with other businesses, such as partner companies.

Business-to-consumer (B2C)

How the business communicates with its customers.

Business-to-citizen (B2Cz)

How organizations (in this case, normally government-based organizations) communicate with citizens.

Biometric Application Programming Interface (BAPI)

The interface between API and a physical biometric device.

BioAPI

An open API standard to exploit biometric authentication.

Business Process Execution Language (BPEL)

An XML-based specification with its origins in IBM’s WSFL and Microsoft’s XLANG standard.

Certificate authority (CA)

Responsible for the distribution and management of digital certificates.

Cloud computing

A term that is often used to describe computing resources that are accessed over the Internet.

Circle of trust (CoT)

A description of the trust component for federated identity. A group of trusted service providers thatshare linked identities and have negotiated relevant agreements on how to work together.

Data Encryption Standard (DES) and Triple DES/3DES

Standard industry recognized methods of data encryption using a secret key.

Data Loss Prevention (DLP) technology

Technology solutions that are designed to monitor, detect and prevent the unauthorized movement ofinformation from business systems.

Demilitarized zone (DMZ)

A DMZ refers to the part of an organization’s network that exposes its services to the outside world,usually through the Internet (NB: the term “services” is not necessarily restricted to the SOA context,but can refer to any applications made available to the outside world). A DMZ is normally (but notnecessarily) implemented between a pair of firewalls. The outer firewall allows through traffic from theoutside world to the DMZ where components such as proxies and routers will reside. The inner firewallonly allows verified network traffic to be passed to the sensitive internal network.

Domain Name System (DNS)

DNS is the method the Internet uses for translating an IP address to a physical server.

Directory Services Markup Language (DSML)

Links directory services with XML-based services and provides the ability to denote directory details in XML.

Enterprise Web 2.0

Describes a fresh, and some would say new, approach to the design and provision of businessapplications that incorporates aspects such as social networking, collaboration and real-timecommunication. It focuses a great deal of attention on the user’s “experience”.

EMV 2000

The Europay MasterCard Visa specification for payment systems.

Enterprise Resource Planning (ERP)

A software suite that aims to support all the core functions of an organization, including areas such asinventory control, accounting, production, logistics and human resources in an integrated whole,providing a tied-together enterprise.

Extranet

A private network that uses Internet technology and the public telecommunications system to securelyshare part of a business’s information or operations systems.

ESSO

Enterprise single sign-on.

FIPS

Federal Information Processing Standard.

File Transfer Protocol (FTP)

A standard Internet protocol that is the simplest way to exchange files between computers on theInternet.

GSM

The standard global system for mobile telecommunications.

GRC

Governance, Risk and Compliance.

Graphical user interface (GUI)

A GUI is a graphical (rather than purely textual) user interface to a computer.

Health Insurance Portability and Accountability Act (HIPAA)

A standard for electronic data interchanges in the US healthcare sector.

Hardware security module (HSM)

A highly secure device that enables organizations to protect and manage passwords.

Homeland Security Presidential Directive (HSPD)

This directive addresses the problem of inconsistent and potentially insecure forms of identification.

Hypertext markup language (HTML)

A markup language designed to display material in a browser. As with XML, it consists of a series oftags, but unlike XML, it contains information about the way in which text is displayed, and does notdescribe data.

Identity Federation Framework (ID-FF)

The Identity Federation Framework provides a method for SSO and linking different user accountsfound within the circle of trusted service providers.


IdF

Identity Federation.

Identity Services Identity Specifications (ID-SIS)

An assortment of specifications for services enabled by ID-WSF.

Identity Web Services Framework (ID-WSF)

This allows for identity-based web services with the provision of permission-based sharing of userattributes, identity-based service discovery, user security profiles and the ability to employ differentclient types.

Internet Protocol Security (IPSec)

A security protocol that provides authentication and encryption over the Internet.

Integrated Services Digital Network (ISDN)

An international communications standard for sending voice, video and data over digital or normaltelephone lines.

ISO

The International Organization for Standardization, a global body made up of over 140 nationalstandards bodies, with the objective of promoting the development of standardization worldwide.

Internet service provider (ISP)

Provides businesses and consumers with access to the Internet.

Information Technology Infrastructure Library (ITIL)

A globally recognized collection of best practices for IT service management.

Java EE (formerly J2EE: Java Platform, Enterprise Edition)

Defines the standard for developing multi-tier applications using Java. Java EE simplifies enterpriseapplications by basing them on standardized modular components, by providing a complete set ofservices to those components, and by handling many details of application behavior automatically,without the need for complex programming.

Java Message Services (JMS)

An API messaging standard that allows Java EE application components to create, send, receive andread messages.

Kantara Initiative

An organization that took over from the Liberty Alliance. Its role is to help the identity community todevelop actions that will ensure secure, identity-based online interactions, and at the same time,prevent the misuse of personal information. Its goal is to ensure that networks can be privacy protectedacross trustworthy environments.

Kerberos

Secure authentication methodology, bundled with most operating systems that utilize the private keymethod functioning at the application layer, issuing authentication tickets, allowing users to accessservices without being questioned.

Lightweight Directory Access Protocol (LDAP)

A software protocol enabling anyone to locate organizations, individuals and other resources such asfiles and devices in a network, whether on the Internet or on a corporate Intranet.

Middleware

A general term for any programming that serves to “glue together” or mediate between two separateand usually already existing programs. A common application of middleware is to provide programswritten for access to a particular database with the ability to access other databases.

.NET

Microsoft Technology, comprising the .NET framework, which includes the .NET object library, and the.NET Common Language Runtime (CLR). The CLR is equivalent to the combination of Java VirtualMachine (JVM) and Java EE Application Server in Java technology.

Network Access Control (NAC)

NAC is a method for improving the security of a proprietary network by restricting the availability ofnetwork resources to endpoint devices that comply with a defined security policy.


Organisation for the Advancement of Structured Information Standards (OASIS)

A non-profit international body that aims to generate interoperable industry specifications.

Open Database Connectivity (ODBC)

An open standard API for accessing a database.

OS

Operating system.

OTP (One-time password)

The type of secure one-time code that can be generated using hardware devices such as tokens andsmartcards, or through the use of software.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of policies and procedures to improve the security of credit, debit and cash cardtransactions and also to protect against identity theft.

Personal identification number (PIN)

Credit or debit card secure authorization code.

Public Key Infrastructure (PKI)

Enables users of a basically insecure public network such as the Internet to securely and privatelyexchange data and money through the use of a public and a private cryptographic key pair that isobtained and stored through a trusted authority.

Portal

A type of web “supersite” that provides a variety of controlled business and consumer services,including web searching, news, white and yellow page directories, email, discussion groups, onlineshopping and links to other sites.

Registration authority (RA)

Captures and authenticates the identity of a user and submits a request for a certificate to the CA.

Remote Authentication Dial-In User Service (RADIUS)

An access verification method, which uses a challenge/response method for authentication.

Radio-Frequency Identification (RFID)

An automatic identification method, relying on storing and remotely retrieving data using devices calledRFID tags or transponders.

Return on investment (ROI)

A term used to describe how much of a return, usually profit or cost-saving, results from a completedbusiness task, in relation to the original investment made.

RSS feeds

An XML-based approach to the distribution of web content.

Software as a service (SaaS)

A software distribution model in which applications are hosted by a service provider and made availableto customers over the Internet or other selected channels.

Signatures and Authentication for Everyone (SAFE)

An identity validation and interoperability federation.

Security Assertion Markup Language (SAML)

Enables the interchange of authorization information between partners.

Simple Authentication and Security Layer (SASL ) protocol

A method for adding authentication support to connection-based protocols.

Small and medium enterprises (SME)

A generic description of mid-market organizations.

Simple Mail Transfer Protocol (SMTP)

A TCP/IP protocol used to send and receive e-mail communications.


Service-oriented architecture (SOA)

An architecture that places process components delivered as consumable services at its heart. In itsmodern incarnation, this architecture is chiefly based on web services, providing a services platformlayer that exposes business and operational services, and is typically a part of enterprise architecture.

SOAP

Formerly Simple Object Access Protocol, but now simply referred to as SOAP. A lightweight XML-basedprotocol consisting of three parts: an envelope that contains a message and instructions for processingit; rules for expressing instances of application-defined data types; and a convention for representingremote procedure calls and responses. In summary, it is a protocol allowing the exchange of informationin a decentralized and distributed environment.

Social media

The use of social media technologies such as social networks, blogs and forums to support a strategyof customer engagement and participation.

Sarbanes-Oxley Act (SOX)

Legislation to protect shareholders and the public from accounting errors and fraudulent practices in theenterprise.

Service Provisioning Markup Language (SPML)

A standard to assist with the creation, maintenance and deletion of user data across heterogeneousenvironments.

Secure Sockets Layer (SSL)

A common protocol for managing the security of a message over the Internet. Typically only one end ofthe conversation is fully authenticated.

Single sign-on (SSO)

An authentication process that enables users to enter one name and password in order to accessmultiple applications. Normally available to support Web and enterprise access environments.

Total cost of ownership (TCO)

TCO is a financial estimate of all the costs associated with acquiring, implementing, maintaining andusing a resource over a particular time. It is most useful as a way of comparing the costs of two or moremeans of achieving the same end result.

Transmission Control Protocol/Internet Protocol (TCP/IP)

Governs the routing and transportation of data over the Internet.

The Open Group

Supports a number of initiatives relating to IAM.

Transport Layer Security (TLS)

This is a protocol that ensures privacy between communicating applications and their users on theInternet.

Two-factor authentication

Two levels of identity that in conjunction authenticate a user and combine to provide strongauthentication.

Uniform Resource Locator (URL)

A URL is the address of a file (resource) accessible on the Internet.

Virtual local area network (VLAN)

VLANs can be viewed as a group of devices on different physical LAN segments that can communicatewith each other as if they were all on the same physical LAN segment.

Virtual private network (VPN)

A private data network that makes use of the public telecommunication infrastructure, while maintainingprivacy through the use of procedures.

Wide area network (WAN)

A geographically dispersed network.


Web 2.0

A collective description for the latest set of user-driven Internet technologies and applications thatinclude blogs, wikis, RSS, mash-ups, and social networks, among others. It refers to second generationweb-based services that are characterized by increased user interaction, information sharing andcollaboration.

Web service

An architecture where software is delivered as a set of components that can be called from anyapplication without regard to the underlying platform or operating system.

Workflow Management Coalition (WFMC)

A group of worldwide workflow vendors, users and research bodies with the objective of defining andsponsoring standards for workflow terminology and connectivity between different workflow products.

Workflow

A term used to describe the tasks, procedural steps, organizations or people involved, required inputand output information, and tools needed for each step in a business process.

Web Services Description Language (WSDL)

WSDL is an XML format for describing network services as a set of endpoints or ports operating onmessages containing either document-oriented or procedure-oriented information.

WS-Federation

Web Services Federated Trust describes how to build federated trust scenarios based on otherspecifications, and define methods for managing trust relationships. In July 2003, Microsoft and IBMpublished a white paper outlining their thoughts on the contents of the specification.

Web Services Flow Language (WSFL)

WSFL is an XML language for the description of web services compositions.

Web Services Interoperability (WSI)

An organization that encourages web services interoperability between platforms, operatingenvironments and programming languages by promoting SOAP.

WS-Policy

Web Services Endpoint Policy describes how senders and receivers can denote their requirements andcapabilities, including essential attributes for privacy, encoding, security tokens and associatedalgorithms.

WS-Privacy

Portrays a model for how a privacy language can be embedded in WS-Policy descriptions, enablingorganizations to detail conformity to defined privacy policies.

WS-Security

Web Services Security, a range of specifications detailing security interoperability.

WS-Trust

Web Services Trust Model details the method for establishing direct and third party trust associations.

X.509

Digital certificate standard that forms the basis of the PKI approach.

Extensible Access Control Markup Language (XACML)

An XML schema for denoting a policy interchange format.

XML Common Biometric Format (XCBF)

Designed to integrate and improve interoperability between biometric standards through the use of webservices.

XML Key Management Specification (XKMS)

XML-based standards for the distribution and registration of public keys.

XLANG

Is an XML-based extension of WSDL.


Extensible Markup Language (XML)

A markup language defined by the World Wide Web Consortium (W3C) as a recommendation in 1998.Used as a meta language to describe data, it has widespread use in areas such as applicationintegration, content management, electronic data interchange, and wireless communications. XML isextensible because, unlike HTML, the markup symbols are unlimited and self defining. Using anextensible stylesheet language (XSL), XML can be transformed for display as HTML on a web page, orto alternative formats for display on other types of client device. It provides a common format fordocuments and data.

XML signature

Used to denote the signature information of Internet resources.



WWW.OVUM.COM

CHAPTER 10:

Appendix


OVUM

Further reading

2011 Trends to watch: Security – Protecting the organization against increasing threats.

Corporate mobile device use and security – Corporations are slowly embracing new technology.

Information Security – Protecting the Business and its Information.

The malware threat to mobile banking.

Methodology

� This report has been compiled from Ovum’s ongoing program of research into the use of Identity andAccess Management technology and the value that it provides for organizations and the users oftheir business systems.

� Ovum conducts independent research into IT strategy and issues. This report is comprised of thefindings of numerous interviews with enterprise CIOs, vendors, and other experts in the field. Thecorrelation of views and resolution of divergent views is based on Ovum's own in-house expertise.

Author(s)

Andy Kellett, Senior [email protected]

Graham Titterington, Principle [email protected]

Nishant Singh, Lead [email protected]

Somak Roy, Lead [email protected]

Ovum consulting

We hope that the analysis in this report will help you make informed and imaginative businessdecisions. If you have further requirements, Ovum’s consulting team may be able to help you. For moreinformation about Ovum’s consulting capabilities, please contact us directly at [email protected].

Disclaimer

All Rights Reserved.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any formby any means, electronic, mechanical, photocopying, recording or otherwise, without the priorpermission of the publisher, Ovum (a subsidiary company of Datamonitor).

CHAPTER 10: APPENDIX 226611


OVUM

� The user and information protection challenges involved when managingidentity.

� Why IAM projects are large-scale investments and require an overhaul ofbusiness processes.

� That vendor consolidation has been a major factor for change in the IAMmarket.

� How IAM technology can be used to support compliance in highly-regulatedindustries.

� Why audit adds urgency to the need for a better IAM infrastructure.

� The impact on identity services of Cloud based operations.

� That the need for an Internet identity is now fully recognized.

� How organizations can benefit from using a federated approach to identitymanagement.

� Which of the leading IAM vendors have improved their products and marketpositioning and now have the right credentials to lead the IAM sector forward.

This Report reveals:


Driving business value through collaborative intelligence OI00030-001

WWW.OVUM.COM

Ovum Europe

119 Farringdon Road,London, EC1R 3DA,

United Kingdom

t: +44 (0)20 7551 9850

e: [email protected]

Ovum Australia

Level 5, 459 Little Collins Street,Melbourne 3000,

Australia

t: +61 (0)3 9601 6700f: +61 (0)3 9670 8300

e: [email protected]

Ovum New York

245 Fifth Avenue, 4th Floor,New York, NY 10016,

United States

t: +1 212 652 5302f: +1 212 202 4684e: [email protected]


OVUM

Information Security - IAM Strategy

Documents

Transcript of Information Security - IAM Strategy