GOLD | Novell Identity Manager
Price: Server, $75,000; Per user, $25
Novell says it has invested plenty to simplify the usability of its Novell Identity Manager product. Readers responded with a bevy of high ratings to earn Novell the gold medal. Novell Identity Manager earned high marks for scalability, return on investment, integration and compatibility, extensibility and breadth of platforms, applications and domains supported, and vendor service and support.
"We spoke with end users and managers and we'd hear people ask, 'How much consulting will I need to get it up and running?'" says Ivan Hurtt, product and marketing manager for security and identity products at Novell. "We had a lot of people who liked the product but were afraid to use it. If people don't know how to use the technology, all that power gets wasted."
Novell Identity Manager offers graphically based tools that let users drag-and-drop and create "what-if" scenarios.
"You can test it for a shorter period of time with a higher level of certainty, and then roll it out more aggressively," says Hurtt.
If users come to an Error 404 page, Novell Identity Manager creates a workflow request to the owner of the content rather than posting the usual dead end. On the other side, the owner can see the requester's attributes, decide if he or she deserves access to the content, and receives a report to show auditors.
Once all connectors, roles and policies are in place, Novell Identity Manager, with one click, can create a 250-page PDF file for auditors that includes workflows, access rights and style sheets that are innate to the system. Any changes made to the end user's network are instantly recorded in the file.
Continuum Health Partners in New York City installed Novell Identity Manager 13 months ago for messaging and file and print services. It already has added 21,000 identities, and is building drivers to the organization's downstream systems that will allow for provisioning and automatic attribute sharing of information like phone numbers in the GroupWise directory. "It's worked out really well for us and our HR people like it too," says Ken Lobenstein, CTO of Continuum.
Organizational buy-in is key because HIPAA requirements make access management a company-wide issue. Lobenstein got Novell Identity Manager running in six months so other departments could see quick results.
SILVER | RSA ClearTrust
Price: $26 per user
RSA ClearTrust--now known as Access Manager--enables single sign-on for customers, partners and suppliers, combining Web access management with role-based provisioning. Readers gave RSA ClearTrust high marks for extensibility across platforms, applications and domains, as well as for ease of use and end-user transparency. RSA touts the product's ability to integrate within a heterogeneous environment of Web and application servers with native support for directory servers and databases. Users also have self-service features for account creation, group assignments, profile updates and password resets.
BRONZE | Oracle Identity Management
Price: $80 per user
Oracle Identity Management has a full suite of identity management capabilities, including single sign-on and Web access control, provisioning, federation, directory services, strong authentication and development toolkits. Readers rated Oracle Identity Management highly for its return on investment and scalability. Oracle says the software runs on top of your existing directory, or with Oracle's virtual directory, which also enables an enterprise to combine directories and make them look like a single entity. One area readers say Oracle Identity Management could use work is extensibility and breadth of platforms and domains it supports.
In the trenches
The politics of IAM
Security managers need time to implement identity management, while business units want immediate results.
When it comes to getting the most of your identity and access management system, IT directors must first ask: How quickly do you need to score a victory with your colleagues?
"A decision needs to be made about the political nature of your organization, and whether you need to look for quick wins" with your IAM product, says Ken Lobenstein, chief technology officer and chief security officer with Continuum Health Partners in New York City.
Lobenstein believes it takes two to three years for organizations to best implement and utilize identity and access management. Of course, other departments in your organization might not want to wait 24 months to see the fruits of the IT department's latest endeavor. That's especially true with IAM, with regulatory pressures requiring IAM capabilities.
Lobenstein understood he needed a quick victory when the hospital network he works for bought Novell Identity Manager one year ago. Within six months he had the Novell device managing the identities of 400 new residents across three databases. With more than 21,000 users, that may not sound like a big victory. But his co-workers were pleased, and that initial triumph kept enthusiasm alive for the ongoing implementation.
Looking for the quick victory "makes it harder and it takes more time for the business people in my office up front because they have to talk more about the installation in the first year," says Lobenstein.
However, Lobenstein's quick victory was not without setbacks. "The pain was that we didn't have business rules fully developed as we implemented it, so we had to rebuild our drivers two or three times because they didn't quite work," he says.
To avoid such problems, companies need to figure out what they want out of their IAM product before buying one. "Start small and don't try doing every single application," says Karl Jackson, an IT software engineer at Brigham Young University in Provo, Utah.
Jackson has used CA eTrust Identity and Access Management Suite for five years to manage the university's administrative computing needs. He started primarily with provisioning but branched out with the product as new challenges arose. "It's grown in terms of integration as I've grown more comfortable with it," he says. "Components like access control and SiteMinder [Web single sign-on] and eTrust Administrator [provisioning, password management] are integrated. The trick is taking what I've got and leveraging that integration."
Dave Young, program director of Web services with Geisinger Health System in Danville, Pa., spent nearly a year defining how he wanted to implement identity and access management before he shopped for a vendor. "You can't just take the product out of the box," says Young, who chose RSA Security's RSA ClearTrust. "You need policies behind the product."
Young, for example, needed a device that created different password requirements for various user groups. RSA ClearTrust lets employee passwords expire every six months, but patient passwords never expire.