Feature

Identity Management Suites Enable Integration, Interoperability

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."

Download it now to read this article plus other related content.

NAC

    Requires Free Membership to View

Waiting Game
Network access control will have a critical role in the identity management mix, but integration may take a while.

It might seem that network access control (NAC) and identity and access management (IAM) suites are a perfect match. After all, both are about controlling access to systems. NAC checks and verifies endpoints before allowing them access to the network, while IAM checks users before allowing them access to the system. The marriage of hardware authentication and access control sounds ideal, but companies hoping for a quick union will have to wait a little while longer.

For sure, in the next few years NAC will have to become part of the standard feature set of IAM suites. As more companies have more laptop-clad and remote workers, NAC will become a necessity to defend the network from a loosening perimeter. That means NAC will have to become part of the IAM mix to bring those far-flung endpoints under control. When a company laptop is stolen from a coffee shop or hotel room, it's as much a NAC issue as an IAM issue to protect not only the data on the laptop, but to prevent the thief from using it to maliciously access the corporate network.

But NAC is farther behind in development than IAM. The products aren't as mature and the vendors haven't coalesced into cohesive suites, as they have with IAM. NAC also isn't as finely grained yet. It might be good for controlling access by contractors and partners but falls short on functions like the role-based access control required for hooking up with IAM.

Despite the obstacles, there are interesting developments percolating between IAM and NAC. Oracle's IAM suite, Oracle Identity Management (OIM), unifies access management across the network and application layers, providing fine-grained access control to applications based on network policies and connection and device type. Also, at Oracle OpenWorld in 2006, NAC provider Identity Engines showed a product that works with OIM. The Identity Engines Ignition Server was also showcased as meshing with Oracle Access Manager, Oracle Identity Manager, Oracle Internet Directory and Oracle Virtual Directory. Gartner has cited Oracle as the leader in NAC and IAM integration.

Another development, on a far smaller scale than the Oracle venture, is a hardware appliance from A10 Networks, IDsentrie. Though far from a full-blown IAM suite, IDsentrie takes care of both NAC and IAM functions by providing not only network authentication for remote and wireless devices, but also central account management, group management and access rights management. It also integrates with both Active Directory and LDAP, making it flexible for different architectures.

--JOEL DUBIN

Pitfalls
But suites don't
always deliver on their promise to be the panacea for all of an enterprise's IAM issues. First off, rolling out an entire IAM suite can be a time-consuming and costly venture for any company. Depending on the size of the organization, the costs could start in the hundreds of thousands of dollars and go up from there. For an enterprise with hundreds of offices and operations around the globe, deployment of a full suite is usually done in stages and can take a couple of years, and then only if everything goes smoothly. An enormous amount of planning goes into integrating an IAM suite with a company's architecture and existing directory services, including set up or migration of users, roles and groups to the new system.

Second, not every product set excels in everything. A product that is outstanding in provisioning may not be as good at reporting, for example, or its GUI or Web interface may be difficult to navigate.

The growing set of features in suites also makes buying decisions more difficult. The business requirements of most companies don't always match one-to-one with every feature. According to Forrester, this is further complicated by more stakeholders such as auditors and non-technical business people involved in the selection process and purchase of an identity solution

While suites generally offer broad functionality, they tend to lack two newer technologies: virtual directories and privileged account management. Virtual directories are servers that can access identity information in real time from multiple sources in a single view without storing identity data themselves. This allows multiple directories to be queried by accessing only the virtual directory, which, in turn, accesses the physical directories to answer the identity query. Virtual directories are used for SSO and federated identity management. Only Oracle, Sun and SAP have their own full virtual directory capabilities.

And privileged account management, which protects system administrator accounts, is in demand because of compliance concerns, but isn't fully represented by any of the major IAM suites.

This was first published in May 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: