This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
Identity and access management suites combine technologies that fall into four broad, interrelated categories: identity administration, identity infrastructure, access management and auditing.
Under the identity administration umbrella sits user provisioning, role management, privileged user account management and enterprise role management. The distinction between role management and enterprise role management is important. While traditional role management is static, just setting up users in roles and groups, enterprise role management is dynamic. It is role-based authentication that can cross multiple business units and functional areas in a company and be flexible to shift around roles as the structure of users changes through company growth and acquisition.
Identity infrastructure includes anything holding identity information: directories, virtual directories and metadirectories. Access management includes overseeing access to multiple applications as well as SSO technologies, both for the enterprise and the Web, and federated identity management, a close relative of SSO. Auditing includes keeping track of users and their roles, which overlaps a bit with all of the above.
| to customers--suites are a one-stop shop for the four main functional areas of IAM. All of them offer user provisioning, while enterprise SSO is a component of some large suites, including those from BMC, CA, IBM, Novell and Oracle. Evidian, a specialist in SSO and federated identity management, has those functions as the centerpiece of its suite.
Andras Cser, Forrester senior analyst, says enterprises are looking to integrated product sets for interoperability and streamlined support; it's easier to get a technical fix with a suite than with individual products. Pricing is another motivator. "If you're trying to buy a lot of functionality and even if you don't need it, the chances of getting and buying functionality are cheaper," he says. And for the most part, suites have caught up with point products in functionality, Cser adds.
Aside from helping enterprises avoid the integration headaches associated with separate products, suites can allow companies to centralize access management functions. They have a single GUI or Web interface with dashboards for providing provisioning, managing roles and groups and for managing directory services.
Integrated suites also centralize directory management, making different directory services like Active Directory and LDAP play together. Many companies use a mix of systems--mainframes, Windows and Unix environments--that were cobbled together as they grew internally or through acquisitions. Rather than rip out all their perfectly operational identity plumbing like RACF, Active Directory or LDAP, most enterprises would rather work with their existing directories. They just want the ability to manage them all with a single tool. The need to work with different directory services, which can't be easily consolidated or replaced with a single directory service, is a fundamental issue for many large enterprises.
Another advantage with IAM suites is the ability to produce reports. Report- ing is at the heart of compliance with regulations like SOX, HIPAA and industry standards like the Payment Card Industry Data Security Standard (PCI DSS). Rather than relying on another product like Cognos or Actuate to crank out a report, a suite may be able to generate reports and store the data in a database for retrieval. An example is Oracle Access Manager, which leverages the company's database capabilities to store access information from different components of the suite. It has pre-built reports that can be used for compliance purposes to identify who has access to what systems. The report templates can also be used for incident management to record user access attempts or failed logins--a tell-tale sign of hacker mischief.
Reports may be Web-based or in hard copy for auditors and regulators, and they may also be integrated with security information management systems, as CA does with its suite.
This was first published in May 2008