Published: 12 Jan 2007
REVIEWED BY BRAD CAUSEY
Price: $15,000 for a single device
Apere's IMAG 500 appliance aims to simplify the complex maze of identity management through the automatic discovery of distributed identity stores, consolidation, reconciliation and provisioning of all user accounts, and access to practically all network resources through a single control point.
It's an attractive proposition, but we found the implementation rough going.
Setup was difficult, ultimately requiring the company's technical support to remotely access the device to assist with the configuration process. Although Apere claims that the device can learn the location and type of applications, each application required manual configuration.
Basic device configuration is like any other appliance: You set up DNS servers, email servers, log servers and VLANs.
Things got sticky when we tried to add authentication resources and user stores, particularly for Web applications. Because user accounts don't generally live on the Web server itself, IMAG doesn't have a way to tie users to the resource they need to access. In the absence of an API, you have to enumerate users from each identity store and reassign the resource that IMAG associated with the users. You then have to get the user information, reformat it and redirect the allowed resources for those users to point to the Web server.
Rather than use an Active Directory domain, for example, the provisioning process requires an "authoritative list," in a specifically formatted comma delimited text file.
Further, IMAG wouldn't recognize user formats used by key applications such as SQL Server and Project Server for AD accounts. As a result, these IDs must be manually matched to their account on the user store.
Policy Control D
Access control entries are based on user ID, VLAN and IP address, but IMAG lacks a proper grouping mechanism, so it can assign only one or all users, for example, to a resource. Anything in between will require extensive work to set up.
Policies provide the ability to control which users or groups of users can access particular applications, but are only usable when the device has been deployed in an in-band configuration. When deployed out of band, IMAG can still serve as a central ID consolidation and reconciliation point, but any other benefits are lost.
IMAG has some major challenges to overcome. An ID management solution needs to be able to effectively link and manage identities from stores of user accounts. Tasks such as importing users from identity stores and consolidating them proved extremely difficult. Some of the most basic applications, such as SQL Server and LDAP, were a major challenge.
Proper user provisioning requires that you manually create an account in each application and assign that user to each resource via the user interface.
Reporting is handled through an easy-to-use Web interface. Each report is customizable, and canned reports are available for applications, authentication stores and user provisioning.
You can research orphaned users, unmanaged resources and user stores that have not been reconciled. Each report can be filtered based on criteria such as specific users or resources.
Apere says many of the issues we encountered are addressed in its next release, but mid-enterprise businesses may not have the tolerance for a product with so many features missing or unfinished.
Testing methodology: Our lab included a single Active Directory domain and a single LDAP tree. User accounts were enumerated from various sources such as MySQL, SQL Server, Web applications and various client-server applications. User roles such as administrators, power users and end users were set up to test access controls.
- IAM: Key to security and business success in the digital era –ComputerWeekly.com
- Hitachi ID Privileged Access Management –Hitachi ID
- Hitachi ID Privileged Access Manager –Hitachi ID
- Best Practices for Securing Privileged Access –Hitachi ID