Technology Evaluation and Comparison Report

Part of the Datamonitor Group
WWW.OVUM.COM
Identity and Access
Management
2011/12
Delivering essential business protection and
compliance
Butler Group
Incorporating
OVUM
Research
Andy Kellett
Graham Titterington
Nishant Singh
Somak Roy
Acknowledgements
Maxine Holt
Tim Gower
Tim Jennings
Important Notice
We have relied on data and information which we reasonably believe to
be up-to-date and correct when preparing this Report, but because it
comes from a variety of sources outside of our direct control, we cannot
guarantee that all of it is entirely accurate or up-to-date.
This Report is of a general nature and not intended to be specific,
customised, or relevant to the requirements of any particular set of
circumstances. The interpretations contained in the Report are non-
unique and you are responsible for carrying out your own interpretation
of the data and information upon which this Report was based.
Accordingly, Ovum is not responsible for your use of this Report in any
specific circumstances, or for your interpretation of this Report.
The interpretation of the data and information in this Report is based on
generalised assumptions and by its very nature is not intended to
produce accurate or specific results. Accordingly, it is your responsibility
to use your own relevant professional skill and judgement to interpret
the data and information provided for your own purposes and take
appropriate decisions based on such interpretations.
Ultimate responsibility for all interpretations of the data, information and
commentary in this Report and for decisions based on that data,
information and commentary remains with you. Ovum shall not be liable
for any such interpretations or decisions made by you.
Published by Ovum
Published January 2011
© Ovum
All rights reserved. This publication, or any part of
it, may not be reproduced or adapted, by any
method whatsoever, without prior written Ovum
consent.
Artwork and layout by Karl Duke, Steve Duke,
and Jennifer Swallow
Part of the Datamonitor Group
Enterprise IT Knowledge Centre
At the heart of the new service are more than 150 ICT analysts from the former Ovum
and Butler teams. They provide deep insight into both vertical and horizontal business
technology, delivered through best-in-class research and analysis. To their insights, we
add the expertise of Datamonitor’s 350 business analysts. It is this combination that
makes the new Ovum IT service especially valuable to clients: by integrating the three
teams, we can offer unique insight into the opportunities and issues facing you and your
customers, and dispense invaluable advice to help you create an effective technology
strategy – a process that we describe as Collaborative Intelligence.
Our comprehensive research agenda spans the full IT investment lifecycle. Our analysis
and advice help you to create the optimal technology investment portfolio for the
organisation, select and implement the appropriate solutions and services, and manage
those investments to realise the desired business benefits. Our coverage ranges from
insight into industry-specific business processes and analysis of vendor markets,
through to radical opinion on disruptive technologies and best-practice IT
implementation guides. Here we present thought-leading research and strong examples
of Collaborative Intelligence in action, and we look forward to working in partnership
with enterprises globally.
For more information, please contact Mike James on +44 1482 608380 or
mike.james@ovum.com
Chapter 1: Management summary 9
1.1 Management summary 11
1.2 Report objectives and structure 17
Chapter 2: Business and technology issues in IAM 19
2.1 Summary 21
2.2 Identity and access management projects are large-scale investments 21
2.3 Business processes need to be overhauled 25
2.4 Cloud services add urgency to the need to federate identities between organizations 26
2.5 The vendor landscape has been rationalized 28
2.6 Recommendations 29
Chapter 3: Identity and access management and compliance 31
3.1 Summary 33
3.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance 34
3.3 Regulatory compliance has a demanding impact on most organizations 35
3.4 Audit adds urgency to the need for a better IAM infrastructure 39
3.5 Continuity and the lifecycle approach to managing identity delivers business value 40
3.6 Everyone needs to be accountable 41
3.7 Achieving and proving compliance is a key business objective 43
3.8 Recommendations 44
Chapter 4: Identity services in the cloud 45
4.1 Summary 47
4.2 The need for an internet identity is now recognized 48
4.3 Several levels of identity assurance are needed 50
4.4 Legal and commercial issues are still of paramount importance 53
4.5 Technology is being developed for internet identity 55
4.6 Recommendations 58
Contents
CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12
3
Identity and Access
Management 2011/12
Chapter 5: Federated identity 59
5.1 Summary 61
5.2 Organizations can benefit from using a federated approach to identity management 62
5.3 Drawing up clear rules of engagement is important 64
5.4 Making better use of standards is the way forward 67
5.5 Recommendations 72
Chapter 6: Technology comparison 73
6.1 Summary 75
6.2 IAM Features Matrix 76
6.3 IAM Decision Matrix 113
6.4 Vendor Analysis 116
Chapter 7: Technology Audits 131
CA – CA Identity and Access Management Suite 133
Entrust – Entrust IdentityGuard, GetAccess, & TransactionGuard 143
Evidian – Evidian IAM Suite (version 8) 153
Hitachi – Hitachi-ID Portfolio 163
IBM – IBM Tivoli Identity and Access Management Products 173
Microsoft – Microsoft Forefront Identity Manager 2010 and Associated Products 185
Novell – Novell Identity Manager 4 Advanced Edition 195
Oracle – Oracle Identity and Access Management Suite – Release 11g 205
RSA (The Security Division of EMC) – RSA Identity & Access Management 215
Contents – Continued
CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12
5
Chapter 8: Vendor profiles 225
ActivIdentity 227
Aladdin (SafeNet) 228
Avatier 229
Aveksa 230
Beta Systems 231
BMC 232
Courion 233
Cyber-Ark 234
Fox Technologies 236
Imprivata 237
Passlogix 238
Ping Identity 239
Pirean 240
Red Hat 241
SailPoint Technologies 242
SAP 243
Sentillion 245
Siemens 246
WSO2 247
Chapter 9: Glossary 249
Chapter 10: Appendix 259
Contents – Continued
CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12
7
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 1:
Management summary
Butler Group
Incorporating
OVUM
CHAPTER 1: MANAGEMENT SUMMARY
11
1.1 Management summary
Catalyst
Identity and access management (IAM) has become an essential part of the IT infrastructure for
medium- to large-scale organizations. Its benefits of productivity and policy enforcement have
been understood for some time, but it was widely regarded as a technology that was too hard
to deploy. There is now wider agreement on standards and a much better understanding of how
to conduct a successful project. At the same time the business case is becoming more
compelling as the scale of automated interoperation with entities outside the enterprise grows,
including the growing use of cloud services.
Ovum view
Identity and access management must be approached as a business issue and designed around
business processes. It is fundamentally about how the organization works with its people and with other
organizations. IAM projects must be approached with a comprehensive and long-term vision, but it is
best to implement it incrementally in phases, each with a clearly defined business benefit. The total
investment will be large, but many parts of the process can be expected to pay for themselves in
months. While extensions to the project can be expected to deliver lower rates of return than the low-
hanging fruit addressed by the early stages, the overall project should still represent a good investment
as there is no requirement to implement the full vision in one project.
The role of IAM
What is IAM?
IAM is the discipline of determining policies for who has access rights to
information assets in an organization, the issuing of these rights, and the
implementation of the consequent access controls. It is at the heart of
information protection, and of compliance programs with all regulations that
control access to information.
Historically IAM was limited in scope and delivered as a function of operating systems. It has emerged as
both a business concern, and a broader field of technology, as business IT systems have developed from
a collection of siloed systems into a complex network of interconnected systems, which are connected to
systems in partner organizations and to customers, employees and other users across the Internet. The
complexity of managing large numbers of users on multiple systems requires an automated and process-
driven system to satisfy both the efficiency and security needs of the organization.
Key findings:

IAM projects require upfront and continuous high-level business sponsorship.

Address pain points first and deliver significant and quantifiable benefits to demonstrate the value
of the approach.

Federation of identities between collaborating organizations has been enabled by general
acceptance of the main standards, including the WS-* family and Security Assertion Markup
Language (SAML) assertions.

Use of cloud services creates an important application for IAM.

IAM is an essential tool in delivering compliance and protecting information.

Business may soon be able to connect to Internet identity services that will be useful for
authenticating people outside the organization.
IAM is the discipline
of determining
policies for who has
access rights to
information assets
in an organization...
Cloud services require IAM
The adoption of cloud services by organizations places greater urgency on the need to deploy
comprehensive IAM systems. When valuable information is placed in a cloud, the access controls to
the system become the only protective layer for that information. It is therefore essential that the access
controls to the cloud service are maintained in a state that is consistent with the corresponding access
controls in the data center. The cloud service provider can and should be seen as a business partner.
IAM must recognize the diversity of users
Mobility, whether between workstations within a building such as a hospital or factory, or between
working locations, requires IAM to provide an easy to use and consistent user experience.
Automated processes, extending beyond the enterprise walls, require a pervasive access control
mechanism that recognizes corporate entities and other processes as having equivalent access control
needs to those of human users.
Business issues
The business case
IAM is a key issue for the business. Implementing a system represents a major investment and its
deployment will require changes in business processes to capitalize on its benefits. However,
successful projects provide a high return on investment and a payback period of less than two years is
frequently achieved. IAM is a useful, if not absolutely essential, tool for satisfying the more demanding
regulatory and compliance requirements. It provides the audit and reporting functions to determine, with
a high level of confidence, who has done what with critical information.
The business benefits of IAM come in two main categories: productivity/ease of use, and security. In
the efficiency category, we can list:

Reduced cost of administration due to automated approval processes, synchronization of
permissions, and user self-service functions, including password resets that typically account for
25% of IT help-desk workloads.

Single sign-on (SSO) to raise end-user productivity by providing quicker access to systems, and
reducing the burden on users of having to manage multiple sets of credentials. People who use
several systems, or work from workstations in multiple locations, can save substantial amounts of
time in a typical day.

Improved experiences for external users, leading to more business, and better collaboration with
business partners.
From a security perspective, good quality and effectively deployed IAM provides:

Rapid and accurate provisioning and de-provisioning of users, minimizing unauthorized access to
information and processes.

The opportunity to adopt more secure forms of identification and authentication, including two-factor
authentication, further enhancing access controls.

Full audit and logging capability of user sessions on corporate systems.
IAM is a means of implementing business strategy insofar as it relates to
information processing. The issues of who the business needs to work with,
the level of automation that is required in these interactions, and the depth
of trust between organizations, are represented in the IAM configuration
and deployment. Internal issues also have a major impact on the
architecture of IAM systems, such as employee mobility, integration of IT
systems following mergers and acquisitions, and the way in which
compliance obligations are met.
IDENTITY AND ACCESS MANAGEMENT 2011/12
12
IAM is a means of
implementing
business strategy
insofar as it relates
to information
processing.
Running a successful IAM project
IAM projects are neither quick nor cheap. It is therefore essential that they
have the wholehearted support of senior management and that this support
is sustained throughout the project. Project managers can help to sustain
this enthusiasm by adopting a phased approach to the project, with clearly
defined business benefits flowing from each phase. This approach also
minimizes both the technical and business risks, as design errors can be rectified before they become
widespread.
External identity on the Internet
We are now entering an era in which individuals can call up “Internet identities” that carry a level of
assurance that we do not have with the self-asserted identities that are almost universal on the Internet
today. For the business, this will open up new ways of communicating with customers and others that
do not have a strong existing relationship with the organization, at a lower cost than pre-registering
them with the organization. While this prospect is still at an early stage of its evolution, standards work
largely promoted by the US government provides a basis for identity services along with a potential
business and liability model.
Organizational issues
Federation technologies have to align with business relationships
Identity federation technology allows organizations to work together, with individual users being
identified and held responsible for their actions across all of the collaborating entities. It avoids the need
for replicating user registration in each organization by regarding their employer as the authoritative
source of information about them. It also ensures that any changes in their status are immediately
applied across the whole eco-system.
The technologies available for identity federation reflect the business structures to which they are
applied. Traditionally the most deployments have been to a “hub and spoke” model in which the key
organization federates to several of its partners such as its suppliers or channel partners. This model
also works well between a company and the subsidiaries it has acquired or created. More complex
webs of collaborating organizations can be supported with “claims-based” networks, and managed
services are appearing to simplify the deployment of federated networks.
Taming the super user
Computers, networks and applications have traditionally been managed
through an account called “administrator” or “super user”. The requirement
for 24 x 7 operation has led to several people having access to this
account. Across a large organization, with thousands of servers and
applications, there has been a proliferation of privileged and effectively
anonymous accounts. This has created a nightmare for both security and
compliance officers.
A comprehensive IAM suite will provide a means of securing and hiding all
super user accounts and assigning administrator privileges to the individual users who are authorized
to perform these roles. This ensures that they are monitored and held responsible for all the actions
they perform in this mode and deals with segregation of duty issues.
The extended enterprise
In addition to integrating the management of partner organizations, IAM helps to define who works
within an organization. Human resources departments are often only concerned with permanent
employees, whereas IAM systems have to provide for all users. Even the payroll department has no
record of contractors who are paid, directly or indirectly, through the purchase invoice system.
CHAPTER 1: MANAGEMENT SUMMARY
13
A comprehensive
IAM suite will
provide a means of
securing and hiding
all super user
accounts...
IAM projects are
neither quick nor
cheap.
IAM systems can be integrated with physical access systems, enabling physical and logical access to
be controlled through common credentials and providing an extra channel of authentication by
correlating system access with physical location. When this approach is adopted, the IAM registration
process has to be extended to include all people who are entitled to enter the premises, irrespective of
whether they use IT systems.
Technology issues
The scope of IAM
IAM systems are technically complex, comprising the following functions:

enrolment of users

provisioning/de-provisioning of access rights to users, in accordance with corporate policies

role management

routine user administration, including functions such as issuing credentials and password reset

access approval and revocation processes, and escalation of disputed issues

identification and authentication of users, including flexibility to adapt authentication to match the
appropriate level of business risk; an important part of this function is SSO functionality to a wide a
range of resources by a single act of logging in to a workstation

control of access to all information and process resources according to policy

reporting and auditing of actions relating to access permissions and access usage

acceptance of corporate entities and automated processes as “pseudo-users”

facilitating usage of corporate resources by business partners and customers, according to
appropriate policies and controls.
IAM projects are based on IT and process integration
IAM projects are mainly integration projects. The largest parts of the work in an IAM deployment project
are in configuring the system to reflect the business, and in integrating the components of the system
with the infrastructure of the organization. A major factor in selecting an IAM suite is its fit with the
existing technology in the organization.
SSO requires the IAM system to be integrated with each platform and application that it is required to
support. Vendors provide connectors to some common applications with their product, while other assets
will require bespoke connectors using APIs. In many cases these can be bought from third parties.
The foundation of every IAM system is one or more corporate directories, and most support Active
Directory and any Lightweight Directory Access Protocol (LDAP)-compatible directory. Organizations
will want to automatically move existing user registration information from existing data stores, which
may be either directories or files. The ability to re-use existing configuration data will significantly affect
the duration and cost of the IAM project.
The task of integrating with external organizations, including cloud service providers, has been made
easier since the industry moved towards a common set of supported technologies. In particular
Microsoft’s acceptance of claims-based communications, including the use of SAML assertions, has
removed a major stumbling block to federated working. Integration is a two-way activity and today the
level of integration offered by cloud service providers is limited, but this situation will improve.
Administration and workflow
Identity administration tasks can be complex, particularly when authorization requires the participation
of multiple asset owners. IAM tools should provide a workflow-based configurable process model. It is
advantageous if this workflow engine is open and allows the integration of IAM processes with wider
management processes, so that provisioning can be seamlessly and automatically incorporated into
other management activities.
IDENTITY AND ACCESS MANAGEMENT 2011/12
14
Market issues
The market for IAM products has undergone substantial consolidation.
While many specialist vendors remain serving individual parts of the
product spectrum, the number of comprehensive suites is limited. Most of
the providers are the major IT vendors. They have continued to acquire
specialist vendors to fill gaps in their product range, with the result that they
now have almost completely covered the required range of functionality.
They can still be differentiated in terms of how well individual components
in their suite meet the needs of an organization, but the major area of differentiation is in their level of
integration with the wider IT environment. As the implementation of IAM
projects is largely a consultancy exercise, channel partners are also an
important factor in selecting a vendor.
The emergence of identity provider services on the Internet will provide a
new area of opportunity for businesses. However more work needs to be
done to establish a business model for such providers. The value of services
to the relying parties who will use the services is clear. The only conceivable
revenue model is one in which the relying party pays the identity provider,
most probably with a per-use payment. Providers could charge according to
the level of assurance of each identity. One obstacle to the development of
this market is that the main candidates for providing such services are organizations (such as banks) that
do not see being an identity provider as one of their core business concerns. The other major obstacle
is the need for a limited liability model that meets the needs of both sides.
Recommendations
Recommendations for enterprises
Every large, and large-medium, enterprise needs an IAM system to enhance its operational efficiency
and to improve its security and compliance posture. Smaller organizations should review their particular
circumstances.
IAM projects are about business process automation and need to be approached from a business
perspective. IAM deployments need to be carefully planned, and deployed incrementally. Most of the
major vendors provide a comprehensive coverage of the solution space, but some are easier to use
and to integrate with existing infrastructure. An IAM project is mostly about integration with the IT
infrastructure and with business processes. These are the areas that need most attention.
Recommendations for vendors
IAM is one of the most strategic areas of corporate IT. Success in the IAM sector will place a firm in a
strong position to influence corporate-wide IT policy.
IAM is an essential companion to information protection, and both technologies have enhanced
business value when they are deployed together. IAM is never an island, and integration and
interoperability with the wider environment are primary product differentiators. Focus on ease of
deployment and flexible use.
The Ovum IAM Decision Matrix
The Ovum IAM Decision Matrix explores the competitive dynamics within the IAM security market and
is designed to help organizations make informed choices among the leading offerings. It presents a
view of the market based on three factors: technology assessment, user sentiment, and market impact.
It offers a snapshot view of the market as it stands today, and indicates those vendors that, in Ovum’s
opinion, organizations should shortlist, consider, or explore. The results of Ovum’s in-depth research
are summarized in the following table. Vendors are listed in alphabetical order within each category.
CHAPTER 1: MANAGEMENT SUMMARY
15
The emergence of
identity provider
services on the
Internet will
provide a new area
of opportunity for
businesses.
The market for IAM
products has
undergone
substantial
consolidation.
IDENTITY AND ACCESS MANAGEMENT 2011/12
16
Rating Company/Solution Ovum Opinion
CA
CA Identity and Access
Management Suite
CA’s IAM portfolio is among the most
comprehensive in the IAM space. The company’s
current IAM positioning focuses on “content aware
identity management”, which incorporates IAM,
data loss prevention (DLP), and governance, risk,
and compliance (GRC) integration.
IBM
IBM Tivoli Identity and Access
Management Products
IBM is among the largest and most successful
vendors in the IAM space. Its coverage includes
enterprise and web SSO, user provisioning and role
management, password management, access
control, and federated identity management
services.
Novell
Novell Identity Manager 4
Advanced Edition
Novell Identity Manager 4 provides a
comprehensive suite of IAM products. Novell
delivers an enterprise-class IAM product set that
has the scalability and high availability required to
deal with large, complex, and diverse operating
environments. However the company’s market
impact is significantly lower than that of its main
competitors.
Oracle
Oracle Identity and Access
Management Suite (release
11g)
Following its acquisition of Sun, Oracle has become
even more of a market leader in the IAM space. It
has a strong presence across all traditional IAM
markets including financial services, healthcare,
and the public sector and its geographic reach is
also extensive. Oracle provides a very
comprehensive set of IAM capabilities with a good
focus on enabling customer usage across all
available platforms.
Evidian
Evidian IAM Suite (version 8)
Evidian delivers a near-full suite of IAM products.
However, the company’s influence remains largely
restricted to European markets. It provides a good
range of enterprise and Web SSO, user
provisioning, and access control services, and
strong support for standards and authorities.
Hitachi
Hitachi-ID Portfolio
Hitachi is not a strong contender in web access
management or the web and enterprise SSO
markets. It does, however, provide good quality
user provisioning, access control, and password
management services, and is respected for its
privileged user management capabilities.
Microsoft
Microsoft Forefront Identity
Manager 2010 and
Associated Products
Microsoft’s impact on the IAM market continues to
grow. It is well respected across enterprise and web
SSO, user provisioning, password management,
access control, and federated identity management
dimensions. It is seen as a low cost provider of IAM
technology and a supplier that small and medium
enterprises (SMEs) are likely to turn to as their first
IAM provider.
S
h
o
r
t
l
i
s
t
C
o
n
s
i
d
e
r
Continued on the next page...
1.2 Report objectives and structure
Report Guide
The report is aimed at chief information officers (CIOs), chief security officers (CSOs), IT managers,
business strategy managers, business analysts, system architects, development managers, and other
senior decision-makers in both IT and the business.
Chapter 2: Business and technology issues in IAM
This chapter summarizes the content of this report and provides a deeper insight into the need for
identity and access management (IAM). It focuses on the delivery of IAM projects, their scalability and
complexity issues, and the corporate investment required. It addresses the requirement to improve
business processes, the need to support the use of cloud-based services and the growing requirement
to be able to federate identities between organizations. It also considers the changing vendor
landscape, which continues to be rationalized.
Chapter 3: Identity and access management and compliance
The deployment of IAM is a vital component of any enterprise security strategy. It provides the
foundations for controlling who has access to operational information systems, and as such aligns
technology-based controls with business and operational rules and access policies. Improving the
organization’s security position helps towards achieving regulatory compliance. Domestic, industry-
related, and international regulations all have an impact on the actions that companies must now take
in order to be compliant. IAM solutions should not be purchased just to help tick compliance boxes.
However, the value of the technology to businesses brings together important efficiency improvements
such as providing streamlined access to systems, delivering efficient user provisioning and role
management services, and providing the ability to accurately control and report on user access rights.
Chapter 4: Identity services in the cloud
Today identity continues to reside mainly in individual websites with little or no interaction between them.
Users have to identify and authenticate themselves to each site or service in order to gain access. Also,
once users have given personal information to a site, they have no control over how the information will
be used. Site operators have very little confidence in the accuracy of the information they are given. An
identity infrastructure that works across sites must be based on policy and semantic interoperability. We
also require standards that go beyond syntactic and semantic levels and embrace business process
issues such as assurance, privacy, and liability. They must be both privacy-enhancing and cost-effective
for both users and website operators. An interoperable identity infrastructure that would be recognized
at multiple websites would provide a major advance towards a truly connected world.
CHAPTER 1: MANAGEMENT SUMMARY
17
Rating Company/Solution Ovum Opinion
Entrust
Entrust IdentityGuard,
GetAccess, &
TransactionGuard
Although SSO and provisioning services are
provided by third-party partners, Entrust remains a
strong contender in the authentication and fraud
management space. It also exhibits good password
management capabilities.
RSA
RSA Identity & Access
Management
RSA is the authentication market leader and
partners with Courion for provisioning and role
management. Across security areas adjacent to
IAM such as security information and event
monitoring, DLP, and GRC, RSA is strong and
active. However, the growth in its overall IAM
capabilities has failed to keep pace.
E
x
p
l
o
r
e
...continued from the previous page.
Chapter 5: Federated identity
The use of technology allows businesses to run lean and efficient supply systems. To support the
approach, organizations rely on all required components being available at the optimum time. Having
full visibility of stock levels, product delivery dates, new pricing tariffs even when that information is the
property of a partner organization, adds real value to decision-making processes. Federated identity
management technology can be used to create local, as well as global, interoperability between online
businesses and trading partners using agreed identity management approaches. Utilizing a SSO
approach, allows users to move between business systems of their own organization and beyond
corporate boundaries to access third-party systems.
Chapter 6: Technology comparison
The technology comparison chapter presents Ovum’s view of the leading IAM vendors and their
technology solutions. It includes feature comparisons of the technology along with decision matrix
information on the vendors and market analysis information. The features matrix presents a side-by-
side view of vendor technology capabilities in their existing product ranges. The decision matrix groups
vendors into one of three categories (‘shortlist’, ‘consider’, or ‘explore’), and backs this up with a
detailed view of each vendor in terms of technology assessment, market impact, and end-user
sentiment.
Chapter 7: Technology Audits
The Technology Audits chapter contains in-depth evaluations on the latest product releases from nine
of the IAM sector’s leading providers.
Chapter 8: Vendor profiles
The vendor profile chapter contains profiles of IAM vendors whose products Ovum considers to be
important to the delivery of the core components of an IAM strategy. In many cases these are vendors
with best-of-breed products that cover one or more core areas of IAM or provide complimentary
services that integrate with IAM.
Chapter 9: Glossary
This chapter contains a glossary of technology terms that are used in the report.
Chapter 10: Appendix
This chapter contains information about additional reading and the methodology used for this report.
IDENTITY AND ACCESS MANAGEMENT 2011/12
18
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 2:
Business and technology issues
in IAM
Butler Group
Incorporating
OVUM
2.1 Summary
Catalyst
The extended enterprise needs a comprehensive identity layer. Identity and access management
(IAM) is an essential tool for compliance and a key component of information protection in open
collaborative working. More than this, however, it is a productivity tool enabling tighter working
practices, collaboration, and automation of some error-prone, laborious processes.
Ovum view
IAM is a business issue, and projects must be driven by business priorities. However, many other
factors need to be taken into account, and a lot can be learned from organizations that have completed
successful projects. Future proofing must be built into deployed systems. IAM is an idea whose time
has come, as it can be considered a strategic component of adopting cloud services.
Key messages
IAM projects are large-scale investments.
Business processes need to be overhauled.
Cloud services add urgency to the need to federate identities between
organizations.
The vendor landscape has been rationalized.
2.2 Identity and access management projects are
large-scale investments
Business strategy must drive technological decisions
Identity and access management is a business process. The requirements
for handling identities and the use that is made of these identities are
determined by how the business wishes to operate. IAM is a fundamental
pillar of security strategy, while the security and regulatory requirements
that the business has to satisfy are also determined by business, rather
than technological considerations. It is the job of technologists to meet
business needs. Business leaders must specify their requirements.
IAM systems link organizations, and inter-organizational relations must be
driven by business managers. The level of buy-in from these associated
organizations will depend on the configuration of the chosen system. The
configuration can range from a close two-way federation of their respective
IAM systems to a more basic arrangement that allows employees of the partner organization to use the
primary party’s resources as external users. However, any level of inter-operation requires a business
understanding of the status and assurance level of the other party’s identity credentials and a
commitment from both parties to keep their identity bases up to date. Both of these require business-
level convergence.
CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM
21
The requirements
for handling
identities and the
use that is made of
these identities are
determined by how
the business wishes
to operate.
IAM systems change the way in which users interact with IT systems. Provided that the system is well-
designed, these changes should have a positive impact on the user experience. Security will certainly
be enhanced. However, access will be restricted in some cases and this may block some established
working practices, particularly where roles are not well documented or
understood. The business must be prepared for these inconveniences and
have a method for rapidly resolving issues as they arise.
IAM projects are large and costly. Without substantial business buy-in at
the highest level they will not be completed. They have to be integrated into
business processes, which will inevitably disrupt the business process to
some extent. The process owner must be an enthusiastic supporter of the IAM project to ensure the
necessary commitment through this stage. A rough estimating rule is that buying professional advice
and assistance is likely to cost five times as much as the technology.
The “identities” in IAM systems mostly relate to people. (Some systems may also manage systems,
processes, and corporate entities.) They contain personal information that is subject to privacy
legislation, and organizations that do not have IAM practices that meet all
legal requirements risk substantial penalties. Therefore, a technical failing
within the IAM system can have substantial business-level repercussions.
This risk increases when an IAM system integrates silos of information that
previously only existed within small systems in departments.
One way to reduce risk and maintain business commitment to the project
is to roll out IAM incrementally, delivering real business benefit at each
stage and starting with “low-hanging fruit.” Fortunately, IAM is well suited to
incremental rollout by dicing up according to organizational units, systems
and applications, and user groups. The majority of the cost of a project goes into the configuration, data
acquisition, and process definition aspects, rather than into technology acquisition. This makes an
incremental rollout viable.
Ultimately, the business and political issues are significantly more challenging than the technology
issues involved in IAM projects. The project is about managing people, not user accounts.
The benefits of IAM
IAM delivers many business benefits, ranging from good governance through security, improved user
experiences, and productivity enhancements to cost savings.
While every IAM project is different, it is realistic to aim for a project whose benefits will pay for the
project within 18 months. A comprehensive, enterprise-wide project will typically take longer to recover
its costs as it embraces aspects with a lower return-on-investment, but organizations can configure a
project to fit a required rate of financial return.
IAM systems can enhance user experience and productivity. Single sign-on
(SSO) to multiple platforms and applications removes the need for users to
remember different user IDs and passwords, which they often feel they
have to write down. It avoids the irritation and wasted time of having to
repeatedly re-authenticate information to the system.
IAM systems automate the provisioning process for new users and users
who take on new roles. The time required for the provisioning process is
typically reduced by 90%, from days to hours. The new user is therefore
able to become productive much more quickly. This is particularly
significant for contractors and short-term hires, for whom the provisioning time can significantly add to
employment costs. Identity federation allows the provisioning of a user in one environment to extend to
collaborative environments immediately and automatically. Moving forward, IAM will be at the heart of
open-enterprise computing.
IDENTITY AND ACCESS MANAGEMENT 2011/12
22
One way to reduce
risk and maintain
business
commitment to the
project is to roll out
IAM incrementally...
IAM systems change
the way in which
users interact with
IT systems.
While every IAM
project is different,
it is realistic to aim
for a project whose
benefits will pay for
the project within 18
months.
The direct financial savings of IAM come from the automated provisioning and
de-provisioning capabilities and reduced IT helpdesk workloads. Typically
25% of IT helpdesk workload is eliminated due to the much-reduced number
of forgotten password calls. Many IAM tools provide self-service password
reset capability, which can further reduce the password-related workload.
Process improvements in the areas of access request consideration and
approval and periodic reviews of access permissions deliver further savings.
IAM is an essential element of corporate
compliance and security
Organizations should deal with compliance as part of their operational infrastructure. For example, the
Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the
Payment Card Industry Data Security Standard (PCI DSS) require
organizations to restrict and monitor access to sensitive information. IAM
provides auditable policies and a control framework that addresses many
requirements of compliance. Many aspects of compliance require an
organization to control who can perform certain functions to reliably monitor
who does what, and to raise the consistency of process performance.
When used in conjunction with logging tools, IAM can provide a wealth of
information about who did what and when. Logging tools need the strong
and accurate access control tools provided by IAM to be certain that the
reported user was the actual user. Four aspects of the benefits of IAM are:

Access rights can be more closely aligned to roles and responsibilities.

Traditionally IT users with administrator-level privileges can do almost anything on the systems on
which they enjoy these privileges. Furthermore, because of the need to keep systems operating 24×7,
several people are often given administrator rights to each system, sharing the same user credentials.
This creates the perverse situation in which the most privileged users are not subject to personal
accountability for their actions. The better IAM systems can block all anonymous systems access,
restrict all administrator-level access to sensitive data, and provide separation-of-duty controls.

The ability of IAM systems to automatically remove access rights from leavers and employees who
move on to different roles blocks one major category of inappropriate access to systems. This de-
provisioning function is one of the most important security functions of an IAM system.

IAM systems can give much faster and easier login to systems, removing the very real temptation
for users to share sessions on machines in common access areas, and hence provide a level of
personal accountability for user actions. The value of this feature is seen in hospitals with the access
patient records and in financial dealing rooms.
These benefits also help raise the security of corporate systems.
Additionally, IAM can enhance security by bringing in stronger
authentication systems than were previously available. Traditionally
authentication is built into platforms, systems, and applications and offers
little scope for changing the default mechanism. IAM systems can allow the
flexibility to adopt different forms of authentication, use two-factor
authentication, and even vary the level of authentication according to the
current characteristics of a session or the business being transacted.
These security enhancements are essential to satisfying e-governance requirements because the
associated reporting is meaningless without personal responsibility. Data loss prevention (DLP)
systems are similarly hamstrung without a reliable indicator of who is handling a piece of information.
The combination of IAM and DLP is particularly powerful, and can be configured to implement data
protection policies that are appropriate for specific countries, for example.
CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM
23
IAM provides
auditable policies
and a control
framework that
addresses many
requirements of
compliance.
The direct financial
savings of IAM come
from the automated
provisioning and de-
provisioning
capabilities and
reduced IT helpdesk
workloads.
...IAM can enhance
security by bringing
in stronger
authentication
systems than were
previously
available.
How to run a successful IAM project
The key to success in an IAM project is to focus on the business issues. Too often they are technology-
driven and fail as a consequence. We have already discussed the importance of getting buy-in and
commitment at the highest levels of the organization. The next prerequisite
is to know your users and understand what they do and how they do it,
remembering that actual practice may have diverged from theoretical
processes over time. If the new IAM-related processes do not fit with
business practices, the project will fail.
The aim should be to introduce the maximum amount of automation into
the processes. This will win the support of key business movers as well as providing the necessary
payback.
When selecting products, ease of management should be a key consideration. The selected product
should enable you to specify each change in access rights or processes once, and have it rolled out
across the enterprise automatically and consistently. Pay particular
attention to any pain points in the existing processes and ensure that they
are mitigated in the new system.
The IAM system should be capable of seamlessly and effortlessly
incorporating any changes in employee working practices, particularly
relating to flexible working and homeworking. It is likely that within the
lifetime of the IAM system the organization will have moved some way
towards allowing employee-owned endpoints, and that virtual client
technology will be widespread.
We have also mentioned the importance of cross-enterprise working in
modern business. External users need to be deeply integrated into IAM in
a form of federation. However, there are different federation architectures
and it is important to choose the right one, considering future changes that
may occur in the way the business operates. The main choice is between
a “hub-and-spoke” configuration in which the central player takes the main role in establishing bilateral
relationships, and a many-to-many model in which a central federation service negotiates claims by
people who require access to any organization in the network.
Above all, when you are ready to implement the IAM system, adopt an incremental rollout and review
the success of each phase as you go, refining the details to resolve issues that arise. Incremental
rollouts reduce the capital risk by partitioning the project budget, and allow proven economies to be
recognized as justification for following phases of the project. They also help to win support for the
project. In particular, SSO has to be configured to accommodate each application, platform, and service
that it embraces. These targets can be implemented in batches. Incremental rollout and pilot projects
can also be used to validate the processes that are being defined within the
IAM system – for example, to remove bottlenecks in the approval process.
Use existing identity stores to avoid unnecessary reinvention of the wheel.
75% of enterprises will find that their Active Directory (AD) will give them
the bulk of their required configuration file. However, all imported data
should be reviewed for currency and accuracy to avoid perpetuating bad
practices.
It is important not to overlook the need to educate users before they are
brought into the scope of the IAM system. It should not be assumed that
the new working methods will be self-evident. It is also a good idea to communicate with users during
the implementation phase and afterwards as the system is extended and improved.
There are complex issues involved in extending the IAM system to customers and others who are not
employed by either the organization or its federated partners. In particular, there is the question of what
information about each person needs to be held in the system. Within the workplace, a person’s identity
is usually primarily about the roles they perform.
IDENTITY AND ACCESS MANAGEMENT 2011/12
24
The key to success
in an IAM project is
to focus on the
business issues.
It is important not to
overlook the need to
educate users
before they are
brought into the
scope of the IAM
system.
The IAM system
should be capable of
seamlessly and
effortlessly
incorporating any
changes in
employee working
practices,
particularly relating
to flexible working
and homeworking.
For external users, identity is about their relationship with the organization. For customers this could
include their payment information, relationship history, and identity assurance requirements. Each
situation brings its own requirements, and the system needs to be designed around them. External users
should not be regarded as “pseudo-employees” because this approach will not deliver the required
security level or meet business requirements. For example, there is no defined “leaving” process for
external users that could trigger their de-provisioning. External users have particular needs for controls on
the disclosure of their attributes that are held in the system, because this information tends to be personal.
2.3 Business processes need to be overhauled
Managing non-employees in the workforce
IAM systems provide a single central authority managing the identities of
system users. This is in itself a culture shock for many organizations in
which the management of contract and temporary staff is often handled at
departmental or project level, with little reference to the HR department.
The accounting department, with its responsibility for payroll, is often closer
to being the global authority of current workers. However, in some cases
staff may be paid locally or through the invoice process, rather than through
the central payroll.
The IAM system often has to manage access for workers employed by subcontractors on site who are
not covered by any direct payment system. In some organizations volunteers work on the company
system. The group of people who are entitled to be in the building and use the IT system is often much
wider than the current employees.
All of the issues surrounding access rights management are magnified many
times when looking at user accounts with administrator privileges.
Administrator accounts are, by default, all-powerful and anonymous. Each
platform, system, and application may have an administrator to manage it and
keep it in good health. As work needs to go on around the clock, several
people need to have these powers to ensure that at least one will be available
when needed. Business systems run across many servers and applications.
This leads to a proliferation of administrator accounts. For example, Ovum
knows of one organization that has 86,000 users and 100,000 administrator
accounts. The anonymity of administrator accounts makes it impossible to
assign personal responsibility for the actions of such users. We look to IAM
systems to “hide” the administrator accounts and only allow users to exercise
them after they have logged into the system as a normal user and through the IAM system itself. The access
rights to information held within the system can also be restricted through the
IAM mechanisms. These opportunities should be exploited. Although using
external IAM services is an option that many organizations have successfully
exploited, particular sensitivities about outsourcing the management of
administrator accounts need to be considered.
Leavers
Removal of user rights and de-provisioning of users who cease to work for
the organization make up one of the most important functions of the IAM
system from a security perspective. However, integrating this apparently
straightforward task into business processes can be complex. Whereas the
arrival of a new employee is a single-step process, their departure is long and
drawn out, going through several stages. In the simplest case the departure
process is triggered by the employee’s resignation. Their leaving date should then be known, but may not
be cast in concrete at this stage. They may have more restrictive access rights at stages during their notice
period. With redundancies or disciplinary procedures, the process becomes much longer and more
complex. These processes all have to be captured within the IAM system, and each change in the status
of the employee must be recognized in the system immediately.
CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM
25
All of the issues
surrounding access
rights management
are magnified many
times when looking
at user accounts
with administrator
privileges.
IAM systems
provide a single
central authority
managing the
identities of system
users.
Removal of user
rights and de-
provisioning of
users who cease to
work for the
organization make
up one of the most
important functions
of the IAM system...
When we consider volunteers, subcontractors, and other non-employees in the system, the process
becomes even more confusing. What event signifies or triggers the user’s departure? How is this
communicated to the IAM system? Do subcontractors retain any residual maintenance functions after
they finish their period on site? One possible approach to this problem is to re-certify the access rights
of all non-employees periodically, but this may place an unacceptable burden on managers.
Mergers and acquisitions
Mergers and acquisitions place a heavy burden on IT administration. The consolidated business will be
working towards a single comprehensive IT infrastructure to achieve economies of scale and
rationalization. However, this is only achievable at a reasonable cost if it is a long-term objective. In the
meantime, there is a need for a convergence strategy that will enable
interoperability and start to realize cost savings. A unified IAM system
should be at the heart of the convergence strategy.
The easiest way to embrace diverse infrastructures immediately is to
federate the parts using an identity federation tool. This avoids the need to
enroll a user in both parts of the organization, and can provide the basis for
SSO across the enlarged enterprise. This scenario is a relatively simple
scenario for deploying identity federation as there are no issues
surrounding inconsistent standards of identity assurance to resolve. In this
scenario, the deployment team can focus on the technical issues.
Moving forward, the business will want to increase the level of convergence towards total unification.
The IAM system should allow the move to be made incrementally, with federation technology ensuring
that users retain their necessary access permissions on both sides of the merged organization.
2.4 Cloud services add urgency to the need to
federate identities between organizations
Use of cloud services requires corporate identity to be externalized
Many organizations are using or planning to use cloud services. The issues surrounding access control
are particularly important for cloud services. Public cloud services are accessible to anyone on the
Internet, with only the access control mechanism between the corporate
intellectual property and the outside world. Services implemented in a so-
called “private cloud” on the corporate Intranet are also relatively open to
unauthorized access.
Access control to cloud services has two main requirements:

User authentication has to be strengthened to reflect the ease of access
to the service portal and the value of the information and processes behind that portal.

The directory of authorized users of the service has to be kept up to date. It needs to be
automatically synchronized with the internal corporate IAM directory to be both secure and efficient.
Access control based on user IDs and passwords held within the cloud service does not meet either of
these requirements. The best option is to configure the cloud service to accept assertions from the
corporate IAM system as the only means of gaining access to the service. The user experience would
require the user to log in to the corporate system and then enjoy an SSO transfer to the cloud service
when required during their session. The strength of authentication is determined within the internal IAM
environment. A possible compromise is to configure the service to use an assertion from the corporate
system as a second authentication factor. This can deliver most of the security benefits of full
integration, but it does not give the user seamless access to the cloud service or perform automatic
provisioning and de-provisioning.
IDENTITY AND ACCESS MANAGEMENT 2011/12
26
The easiest way to
embrace diverse
infrastructures
immediately is to
federate the parts
using an identity
federation tool.
Many organizations
are using or
planning to use
cloud services.
While this discussion represents current best practice, regulators and legislators lag behind technology.
Organizations may find their options restricted by regulatory impositions. For example, financial
services regulators generally dislike passwords being shared between services. It remains to be seen
how they will react to a claims-based access regime, which effectively means using the same password
as the user’s system login.
Federation delivering benefits
The early history of identity federation saw most deployments in configurations in which a central
organization wants to improve collaboration with several of its business partners. Typically a large
corporation would want to tighten its relationship with its suppliers or channel partners. The two major
civil airline manufacturers, Boeing and Airbus, both made extensive and
successful use of identity federation technologies, along with major
automotive manufacturers.
The other area for which federation has delivered substantial benefits is
bringing together the parts of an enterprise following a merger or acquisition.
Federation is starting to move out into more diverse deployments, including
ones in which there is a more flexible community of organizations than the
rigid “hub-and-spoke” configuration in the early deployments. Some of
these deployments are enjoying a simplified design by adopting the
managed federation services available in the cloud.
Even when federation services are used, the user identities are retained in-
house. The common characteristic of all federated identity deployments is
that each user identity remains with the user’s employer, and the employer asserts their access rights
to the other partners when required. This ensures that other partners do not incur a user management
overhead by participating in identity federation, as well as protecting the privacy of the individual.
Technology issues
IAM usually focuses on controlling access to systems and information by human users. However, in the
collaborative and automated business environment that is emerging, the concept of identity needs to
be broadened to include corporate entities, computers, processes, services, and applications.
Integrated cross-organization automated processes need to control access by all of these. These can
collectively be described as “objects”, taking the terminology from the
object-oriented programming world. Thus, IAM systems need to be able to
manage identities for any such object, and these objects need to have the
means of identifying and authenticating themselves.
The leading IAM suites available today are fundamentally architected to
deal with objects of all types, but some of the user interface components
need to be tailored to fit these broader concepts.
The claims-based approach to inter-organizational access control is a
sound basis for moving forward. Unlike some earlier protocols, it is scalable and flexible. Claims are
simple statements that can be composed into more complex requirement statements using the basic
operators in Boolean logic such as “and” and “or.” Using these avoids the
significant administrative burden of maintaining access control lists.
Many organizations find role management a particularly difficult task. Roles
define sets of entitlements and are an efficient method for grouping employees
who perform similar duties. Most IAM suites allow individuals to perform a set
of roles. However, many employees perform tasks that are not identical to
those of any other person in the organization, particularly those in
management or knowledge-worker fields. In these cases, roles become cumbersome and confusing. IAM
products should allow administrators to combine role-based access permissions with additional individually
allocated permissions, and should not force everyone into the role model.
CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM
27
The claims-based
approach to inter-
organizational
access control is a
sound basis for
moving forward.
The other area for
which federation
has delivered
substantial benefits
is bringing together
the parts of an
enterprise following
a merger or
acquisition.
Many organizations
find role
management a
particularly difficult
task.
There is a divergence of opinion about whether IAM systems should manage both access to IT systems
and physical access to facilities, or whether they should be limited to information system access. Cost
and complexity are increased if physical access is included. However, the combined approach allows:

The leveraging of identity credentials such as smartcards

the use of a single identity directory, giving some economy

security to be enhanced using a joined-up view – for example, physical presence can become an
implicit authentication factor.
However, a unified approach means that you will have to register everyone who works on site, even if
they never use the IT systems – including cleaners and security guards.
2.5 The vendor landscape has been rationalized
The vendor landscape has consolidated around big IT suppliers
The vendors of the main IAM suites have been acquired by the big IT infrastructure vendors. In some
cases, such as with CA, IBM, and Oracle, the vendor has made a number of small and large
acquisitions over time to arrive at its current position. In contrast, some vendors such as Microsoft and
Novell have largely built up their IAM offerings by internal product
development. The current dominance of the market by the big players is a
consequence of the central role that IAM plays in IT management and
delivering IT compliance. Organizations want to buy fundamental
capabilities from a strong vendor with which they already have a substantial
relationship and whose IAM systems will fit in well with their IT
environments. The vendor landscape reflects the fact that IAM projects are
“big-ticket”, long-term, and strategic.
The trend towards big vendors has also been driven by the commercial
aspects of this market. Until recently IAM vendors found it difficult to make
a profit in a relatively slow market. However, the consultancy work that went
with an IAM project was more lucrative. This encouraged vendors with
large consulting practices to be active in IAM.
A large group of vendors specialize in particular aspects of the technology,
such as identification or authentication, clustered around the IAM suite providers. These include
smartcard providers, biometric product vendors, and suppliers of a range of innovative authentication
approaches. These products can interact with IAM suites using standard protocols such as the
biometric application programming interface (BioAPI) protocols, supplemented with various amounts of
bespoke integration work.
Sun’s demise has provided the latest crumbs
The club of IAM suite providers is now quite small and fairly stable. However, there have been two
notable exits in recent years. In 2008, HP sold its IAM practice to Novell, which was already a major
player in the space. In 2010, Oracle completed its acquisition of Sun Microsystems, including the latter’s
IAM products. As both vendors had comprehensive suites, there is a lot of rationalization ahead, with
most cuts falling in the former Sun portfolio. Oracle has provided an open
path, allowing organizations that currently use Sun’s suite to migrate to its
products, in addition to incorporating a few Sun products into its range.
However, Oracle faces competition from Courion, which has also laid out a
migration route for Sun users and is a strategic provisioning partner of RSA.
As IAM is becoming increasingly strategic, both infrastructure vendors and
security vendors that do not have an IAM offering are looking less credible in their fields. Most aspects
of information protection require an awareness of who is accessing the information.
IDENTITY AND ACCESS MANAGEMENT 2011/12
28
The vendors of the
main IAM suites
have been acquired
by the big IT
infrastructure
vendors.
The club of IAM
suite providers is
now quite small and
fairly stable.
The trend towards
big vendors has also
been driven by the
commercial aspects
of this market.
The focus of security is to move from network security to information protection, throwing the spotlight
on gaps in the vendor’s portfolio. At the same time the limited number of players limits the scope for
partnerships, which in most cases would be with a competitor. The number of potential acquisition
targets is now small.
Currently, we can only speculate on how vendors such as HP, Symantec, Cisco, and Intel/McAfee will
respond to the new market perspective.
2.6 Recommendations
Recommendations for enterprises
IAM is a strategic project that needs a strong, long-term business strategy behind it. If the project is
executed well it will deliver a high rate of return, both financially and in terms of improved governance.
It must be driven by business considerations and supported by buy-in at the highest levels in the
organization, not least because it will require changes in business processes. Implementation is best
approached in an incremental fashion.
IAM is as much about working with partners and outsiders in the extended enterprise as it is about the
internal IT systems. Systems must be designed to accommodate any foreseeable expansions and
extensions in the working realm.
Cloud services are about to boost the importance of IAM in the enterprise. The cloud service provider
can be regarded as an important business partner that needs to be brought into the federated identity
net.
Recommendations for vendors
IAM is also strategic for vendors. It is a sticky technology that can reduce customer churn by locking
customers in to building processes around your technology. IAM is now more than just an opportunity
to drive consulting engagements, and has become a cornerstone around which to build systems
management, compliance, and security offerings.
CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM
29
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 3:
Identity and access management
and compliance
Butler Group
Incorporating
OVUM
3.1 Summary
Catalyst
The use that is made of identity and access management (IAM) technology within the public and
private sector is growing in line with the threat environment. Most organizations understand the
need to maintain control over who is allowed to access their information assets. They recognize
the negative impact that not having the proper identity management controls in place can have
on the organization and its reputation. They also appreciate that industry regulators have the
power to extract fines and impose sanctions when organizations fail to fulfill their compliance
obligations.
Ovum view
The deployment of IAM technology should be seen as a vital component of an enterprise security
strategy. The use of IAM is foundational to controlling who has access to operational information
systems. Knowing which users are allowed to have access to which information systems and aligning
control with the operational rules and access policies improves the organizations security position and
helps towards achieving regulatory compliance.
Domestic, industry-related, and international regulations all have an impact on the actions that
companies must now take in order to be compliant. IAM solutions should not be purchased just to help
tick compliance boxes. The value of the technology to businesses ought to bring together important
efficiency improvements such as providing streamlined access to all
available systems, efficient user provisioning and role management
services, and the ability to share systems access with authorized third
parties. It should also address the need to protect the integrity of business-
sensitive data; controlling as well as facilitating access for information users
helps to reduce data theft and fraud.
The deployment of IAM never was and is not likely to become an easy fix
for broken operational structures. The implementation of the products can
be complex and difficult to achieve and maintain. There have been many
examples of organizations that have struggled to gain business value from
the technology, often because they have been unrealistic in their objectives, or have failed to gain
project buy-in at the highest levels of management. However, when an organization gets its IAM
deployment strategy right, operational improvement, continuity, and security benefits accrue and as a
result compliance and audit advantages become more achievable.
Key messages
IAM delivers services that are relevant to business improvement, continuity,
protection, and compliance.
Regulatory compliance has a demanding impact on most organizations.
Audit adds urgency to the need for a better IAM infrastructure.
Continuity and the lifecycle approach to managing identity delivers business
value.
Everyone needs to be accountable.
Achieving and proving compliance is a key business objective.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
33
The deployment of
IAM never was and
is not likely to
become an easy fix
for broken
operational
structures.
3.2 IAM delivers services that are relevant to
business improvement, continuity, protection,
and compliance
IAM provides vital business services
Organizations evolve and change as the demands of their operations grow or indeed contract.
Competitive influences dictate that most businesses are constantly looking to improve their existing
operations.
Cost controls dictate that more must be achieved with fewer resources and
always more efficiently. Automation, self-service, and a whole range of
associated approaches are used to deliver improvements. Similar
demands are placed on continuity requirements, such as the need to
efficiently deliver corporate services while remaining fully protected and,
importantly, achieving the above objectives without falling foul of
compliance regulations.
Acommon theme that runs across many business requirements is the need
to make use of IAM to understand and control who has the right to access
our systems, what use they can make of that access and where they are
allowed to gain access from. As such, it is no surprise to find that IT
administrators struggle to keep pace with the need for change and at the same time maintain a balance
between the organization’s desire to improve its operations and its need to remain secure.
IAM can be used to improve service delivery – but beware
Business improvement, efficiency savings, and the sometimes conflicting need for operational
continuity are often addressed through an attempt to deliver an increased level of automation. This
usually involves growth in the use of self-service and online facilities. For IT administrators working with
IAM systems, there will be a need to improve service efficiency and deliver automated user
provisioning, authentication, and access control services that meet the self-service requirements of the
business and its users.
Since the earliest Active Directory (AD) and associated Lightweight Directory Access Protocol (LDAP)
management systems made their way onto the market, the value to business of controlling users has
been widely recognized. That is not to say that technology associated with the management of identity
that we conveniently bundle under the IAM label has always been particularly successful in achieving
these objectives, but at least the opportunity has been there.
For many organizations the struggle continues, and for those that have
deployed fully-featured IAM solutions or selected components of IAM the
resulting benefits have often been less than impressive.
Problems have occurred for a number of reasons. Some are directly
attributable to the vendors and the solutions that they deploy being too
complex and impractical. Others fall squarely at the feet of end-user
organizations that have not fully understood the internal commitment that
successful IAM projects require. Organizations have gone into identity
management projects without a clear enough vision of the ultimate
objectives, or have simply tried to do too much too soon.
In such cases, IT has had to either go back to the basics of locally managing identity directories or
starting up second- or even third-generation IAM deployments.
IDENTITY AND ACCESS MANAGEMENT 2011/12
34
A common theme
that runs across
many business
requirements is the
need to make use of
IAM to understand
and control who has
the right to access
our systems...
Organizations have
gone into identity
management
projects without a
clear enough vision
of the ultimate
objectives, or have
simply tried to do
too much too soon.
Controlling identity and user access is vital
Making use of IAM technology to achieve business improvement and
continuity benefits and, at the same time, remaining secure and compliant
involves the deployment of good quality IAM services that are also easy to
use. The objective is to identify and control authorized users and provide
systems access whenever and from wherever access is demanded within
the rules of the organization.
Controlling and maintaining ease-of-access to information systems is vital to achieving business
success. At the same time, those elements of control that ensure that unwelcome visitors can be
rejected and the compliance components used to scrutinize how access to business-sensitive systems
and their data is controlled must also be maintained.
Business improvement and compliance objectives need to be
addressed
A driving force behind the use of technologies such as IAM is the
competitive nature and efficiency demands of business organizations. In
many organizations, changes to business operations continue at a fast
pace; updates and additions to user communities, operational work groups,
and project teams can be just as dynamic and, as such, need to managed
as efficiently as possible.
Without the structure and management components that IAM provides,
organizations will struggle to keep pace with the maintenance overheads
needed to ensure that users and the data controlling their access rights are
kept up to date. Integrated IAM is required to support business improvement
and at the same time to ensure that compliance objectives are not ignored.
3.3 Regulatory compliance has a demanding
impact on most organizations
Organizations need to deal with compliance as part of their
operational infrastructure
Maintaining regulatory compliance and ensuring that the operations of an organization remain within the
required parameters involves combining the use of good technology controls, ensuring that systems
users are responsible for their actions, and putting controls in place that are both usable and effective.
Depending upon the industry and geographical location of the business, different regulations, rules, and
interpretations of compliance mandates apply. The Sarbanes-Oxley (SOX) Act, while not forcing the use
of specific security products, takes in the requirement to be able to maintain the validity of corporate
information and control who has access to it.
Where there is commonality for rules and processes that can be applied to specific regulations such as
the Payment Card Industry Data Security Standard (PCI DSS) for the handling of financial data or the
Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector there is the
opportunity set up and make available common operational processes.
For example, PCI DSS dictates that where sensitive data are being processed or held, those data need
to be encrypted; the rules and regulations also determine how long and under what circumstances
those data can be held.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
35
A driving force
behind the use of
technologies such
as IAM is the
competitive nature
and efficiency
demands of
business
organizations.
Controlling and
maintaining ease-
of-access to
information systems
is vital to achieving
business success.
What organizations must do to ensure that they do not repeatedly fall foul of regulations that have
already been addressed is to make sure that the information that they hold cannot be subverted during
normal operational activities. Information relating to customers, citizens,
finances and so on may be held legitimately. That said, if access to
sensitive information is not continuously controlled then all the compliance
efforts that have gone before count for nothing.
A fundamental requirement for the protection of sensitive data involves
controlling who has access and influencing what users can do with data
once access has been granted. Importantly, it must also involve having the
knowledge and information required by the company’s auditors to be able
to prove that the right user controls were applied.
In an ideal world the demands of the chief information security officer would
be for reliable, accurate, auditable IAM controls that safeguard and
manage all access to key business systems and the sensitive data that
they hold. Realistically, however, we have to
accept that restrictions will be placed on what can be achieved, because of
the costs involved and IT budget restraints.
What ought to be considered is how IT can make better use of the IAM
facilities that they already have in place, how the operational use of user
authentication and access control facilities can be aligned to the acceptable
risk profile for the organization and how IAM can be used to improve the
security and compliance profile of the business.
Addressing the compliance challenges and drivers
Properly deployed IAM services deliver usability for an organization’s authorized users and invoke
controls that help to maintain security and compliance.
The requirements of the organization should include achieving full control over user access rights and, in
doing so, providing the audit trail and management reporting facilities that prove that control is being
maintained. This involves the use of stop-and-block controls, but ought to also include the use of warnings,
alerts, and reports that are delivered to the appropriate authorities when suspect activities take place.
Starting operational compliance involves having the ability to record all identity-related events, which
includes both accepted and rejected access attempts. It involves making effective use of technology to
automate the controls that are needed to allow or deny access, to detect and report on wrongdoing, and
to deliver corrective actions.
Some of the latest access control and systems management problems that
organizations face involve external influences. These originate with both
the business partner organizations and users that need to be controlled
and the mixed operational environments that need to be supported. IAM
has to be capable of working on behalf of mixed user groups across mixed
physical, virtual, and cloud based operations.
The requirement involves the ability to maintain control. Specifically, it is
about managing the provisioned rights of users to ensure they are kept up
to date and that all de-provisioning elements are also effectively
addressed. For leavers and users whose role within the organization has
changed, this is a particularly important issue. Included within this area is any separation of duties that
needs to be applied. This specifically includes access controls that are focused on privileged users, with
the intention of ensuring that all user entitlements are proportionate.
IDENTITY AND ACCESS MANAGEMENT 2011/12
36
A fundamental
requirement for the
protection of
sensitive data
involves controlling
who has access and
influencing what
users can do with
data once access has
been granted.
Some of the latest
access control and
systems
management
problems that
organizations face
involve external
influences.
What ought to be
considered is how IT
can make better use
of the IAM facilities
that they already
have in place...
Addressing specific compliance issues with IAM
PCI DSS
PCI DSS does not force the use of specific protection products or services. It does, however, define
industry best practices for how credit and debit card information should be handled while being stored
or communicated during transaction processes.
PCI DSS data protection requirements that need to be maintained involve
the strengthening of common security protocols; specifically, this includes
reducing the opportunities for unauthorized users to access customer-
sensitive information. It includes ensuring that external access channels
are properly controlled and also has implications for what access internal
users (employees, contractors, etc.) should be allowed to have.
Following various widely reported data-thefts incidents, many caused by internal users, there are
specific PCI DSS requirements that are intended to limit employee access to customer credit card and
associated financial information. Such access controls need to be measured and maintainable and
supported by reporting services that satisfy the needs of IT and the company’s auditors.
PCI DSS dictates that user access to financial data (credit and debit card data) should be limited to
users who clearly need to see and work with this information. It specifically requires organizations that
handle card data to implement strong access control measures. The act states that access by business
users must be on a need-to-know basis. Authorized users must be assigned a unique identity so that
their access requests can be recorded and analyzed, and to ensure that physical access to cardholder
data is controlled.
HIPAA
HIPAA compliance, with its specific focus on the healthcare sector, and that industry’s increasing
dependence on constantly updatable patient information, present a number of interesting identity
challenges that can be addressed through the use of IAM. The focus is on the need for improved
security and privacy and further demands for efficiency and quality of service. The regulations and
standards that are applied alongside HIPAA are wide-ranging.
IAM can be used to provide administration and access controls that protect
sensitive medical records. The requirement is for products that are capable
of controlling access to electronic records in complex enterprise
environments. Healthcare systems share
patient and associated healthcare data at local
and national levels.
The underlying requirement involves
controlling how information is collected, stored,
and transported. Once this is achieved, however, the key objective
switches to how healthcare institutions are able to keep operational data
available and accessible and safe from unauthorized use, which is where
IAM has an important role to play.
HIPAA data protection requirements are supported by the IAM’s ability to
control which users have access to particular systems, applications, and
data. By controlling and reporting on the management of users, their
identities, and their access rights in line with the policies and operational
rules of healthcare operations, the deliverable components of compliance can be achieved. Also the
automated nature of IAM can be used to reduce the cost of healthcare compliance.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
37
IAM can be used to
provide
administration and
access controls that
protect sensitive
medical records.
PCI DSS does not
force the use of
specific protection
products or
services.
HIPAA data
protection
requirements are
supported by the
IAM’s ability to
control which users
have access to
particular systems,
applications, and
data.
IAM takes responsibility for controlling user access; it also addresses privacy, security, and audit
requirements. These are critical HIPAA issues, particularly when organizations are operating across
distributed and networked environments. Allied to this is the need to change, update, or remove access
rights when employees change jobs or move on. This is a specific business risk that IAM can be used
to address. The management of user credentials falls into the same category of importance to ensure
that usernames, passwords, and other strong access credentials are maintained. Other areas that IAM
covers and are relevant to HIPAA compliance requirements include the enforced segregation of duties
wherever this is appropriate, and directly linking the provisioning elements of user access to the role of
each user within the organization.
SOX
The SOX act specifies that a company’s financial reports must be both verifiable and auditable. To
achieve these objectives, organizations and their IT management must be able to prove that the
company’s critical software applications are only available to approved
personnel, and that access cannot be exposed to failure by human error or
sabotage.
While SOX is not specific about which IT security systems should be
deployed, it does require organizations to implement strong access control
facilities in order to fulfill user management
objectives.
IAM provides the required elements of identity
management and access control. Therefore, when its use is supported by
compliance-based best-practice templates, facilities can be tailored to
address the needs of SOX. Examples of this include the provisioning of
access rights to each business-critical system or information resource that
is fully aligned with the individual’s exact needs as specifically defined by
their job description or role within the organization.
Audit and reporting capabilities can also be used to prove that only
authorized users could have gained access to sensitive information. This
level of control can be extended to necessary business process constraints and can be applied by
provisioning and role management systems to include separation of duty controls and regular
assessments of current access rights and privileges.
Compliance demands are driven by common themes
Among a number of common control themes that run across the regulatory compliance relationship
between regulators and the organizations that are required to comply with their rules is the ability to
prove who your users are and control what they are allowed to do.
If you drill down into the regulator’s expectations of how identity ought to be used to control user access,
there are elements that are standard to the general usage of IAM in most business operations. Where
the additional requirements occur is around the issue of the information that is required to ensure that
only the right users can access specific systems and their data.
Even after adding the burden of proving that users are who they say they are and that their access
rights are balanced and appropriate, and supporting the required controls with audit-level evidence, the
use of IAM for compliance is not overly burdensome. These requirements make IAM into a frontline
component of compliance. Its wide-ranging use across different industry verticals also makes it
available to support the controls required by many different industry regulations.
IDENTITY AND ACCESS MANAGEMENT 2011/12
38
The SOX act
specifies that a
company’s financial
reports must be
both verifiable and
auditable.
Audit and reporting
capabilities can also
be used to prove
that only authorized
users could have
gained access to
sensitive
information.
3.4 Audit adds urgency to the need for a better
IAM infrastructure
Audit helps organizations to prove compliance
Government and industry regulations, such as those mentioned in the previous chapter, demand that
organizations exercise proper control over customer and financial data and business-sensitive systems.
The requirement is to be able to prove compliance. How are organizations expected to achieve this in
a way that is wholly acceptable to each regulatory body? One suitable method is being given a clean
bill of health by an independent external IT audit report.
Most successful enterprise organizations are both dynamic and busy. To maintain their required levels
of efficiency they need to have facilities in place that automatically provision, maintain, and manage
user identity resources. An important part of the complete resource management role involves the
ability to record and report on all identity-related activities, including those that involve changes to user,
role, and segregation of duty permissions.
Continuous compliance assists with audit processes
Continuous compliance is an objective that most organizations would love
to achieve, but many struggle to get there. The vast majority of enterprise
IAM products claim to provide a range of authentication, provisioning, role
management, web and enterprise single sign-on (SSO), and password
management facilities that address compliance issues. They also claim to
be able to detect and remediate against anomalies found on an ongoing
basis, and maintain all management information for future use.
It is worth emphasizing that this particular level of good practice, if it
becomes a reality, is viewed favorably by auditors. In real terms it helps to
position the organization as being efficient and strong in the delivery of
security and management controls. From a purely practical perspective, it can also help minimize the
time that the auditors will then take to test and validate the organization’s security controls.
Good IAM practice provides business benefits
There are many different examples that show how IAM is being used to achieve compliance and how,
through the use of automation, such activities also find favor with an organization’s auditors. One good
indicator that is often put forward is that of how effectively employees that leave an organization or
change their role are dealt with.
The requirement for disowned accounts is spread across three levels. First
of all, organizations need to know about and be able to identify all user
accounts that are no longer valid; then they need to have the ability to take
the required corrective actions. This may involve suspension, change
management, or the removal of access rights.
The final element in the process involves recording and reporting on the
actions taken. The type of audit controls envisaged can also be extended
to ensure that account managers carry out periodic review processes to
certify that active users in their domain have the right access entitlements
and, importantly, that they retain the need to keep those entitlements.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
39
One good indicator
that is often put
forward is that of
how effectively
employees that
leave an
organization or
change their role
are dealt with.
Continuous
compliance is an
objective that most
organizations would
love to achieve, but
many struggle to
get there.
3.5 Continuity and the lifecycle approach to
managing identity delivers business value
Continuity drives the need for IAM
So far we have covered IAM continuity as it relates to continuous compliance and to the improvement
of audit processes. What have not yet been discussed are operational benefits and why it is important
to take a more inclusive view of identity management and its access control facilities.
There are two major elements that drive the need for continuous IAM control and with it the delivery of
a lifecycle approach to the management of identity. There is the requirement to fully utilize the
information resources in corporate data stores to trade as efficiently as possible. For example, making
using of the Internet to provide access to corporate data and the web as a direct trading channel means
that organizations can support self-service efficiency and customers can have 24/7 access. The other
element is the ever-increasing range of threats and malicious attack approaches that threaten to
destabilize web and associated real-time activities.
From an IAM perspective, continuity starts with the ability to manage each user from the first time that
they are provisioned with an initial set of access rights through to the time that their rights are removed.
In effect, this means management of the complete user lifecycle, a definition that may sound inclusive
enough, but in reality only scratches the surface.
This is because the nature of doing business is constantly evolving. We now share information with
suppliers and business partners and collaborate on projects. We provide customers and other system
users with all-day, every-day access to our systems and information resources. Going forward, further
interactive opportunities will emerge, they will need to be supported, and the lifecycle approach to
managing users will continue to grow.
Outsourcing and the use of managed services adds complexity
In attempting to do more with fewer internal resources, organizations are taking up the option to
outsource operations and services to contractors and are also using service providers to manage
operational systems.
Because all these external elements add complexity to business operations, they also increase the
demand for good quality IAM solutions that are capable of automatically managing mixed communities
of users across physical and virtual operating environments. Afurther issue
is the requirement for continuity when considering the IAM controls needed
to deal with internal and external users while still attempting to reduce
security risks.
IAM is an essential product in the battle to maintain control over who and
what can gain access to information systems. However, bringing systems
access and usage up-to-date and including the key considerations of web
clients and general Internet access is challenging.
The increasing volume of remote access demands is changing the systems dynamics of IAM. It means
that some longstanding identity management solutions are now overdue for an update. To remain fit-
for-purpose, their services need to be brought up-to-date to meet the demands of collaborative working
practices, shared information services, and operations where third parties, business partners, or service
providers have control over everyday information assets.
The effective management of identity is a precursor to successful data
loss prevention (DLP)
IAM controls user access to operational systems and addresses many of the control issues related to
regulatory compliance and audit. Another area of IT security that directly associates itself with the
demands of the regulators is the prevention of data loss.
IDENTITY AND ACCESS MANAGEMENT 2011/12
40
The increasing
volume of remote
access demands is
changing the
systems dynamics
of IAM.
Business users can play a primary role in putting an organization’s data
assets at risk. Therefore, the case for aligning the use of DLP solutions and
their ability to protect sensitive data with core IAM technology that assigns
and controls user access rights is a strong one.
The protection role of DLP involves the need to work with existing
infrastructure systems such as AD and other common LDAP directories. It
entails a requirement to integrate with existing IAM facilities in order to understand what systems
access rights each user or group of users has. Leading on from this, once those access rights have
been accepted, it also requires the ability to work with permission-based roles in order to ensure that
what users go on to do complies at each level with the organization’s data usage policies.
Controlling who has access to an organization’s systems and information resources becomes very
difficult to achieve without an integrated relationship between core management systems such as IAM
and DLP.
3.6 Everyone needs to be accountable
IAM provides organizations with well defined access management
tools
IAM technology provides the tools to ensure that effective access management facilities can be
implemented across organizations. This represents the starting point for controlling the rights of each
user.
A common misconception is that having achieved this objective, the task is
complete. This of course is not true. It is only the beginning of a continuous
process that requires IT administrators, business managers, and
responsible infrastructure departments, such as HR, to collaborate on the
provision of effective controls.
The object is to provide information users with
all the access rights that they need to do their
jobs. At the same time, the correct security
balance requires that the access provided is
appropriate to fulfill a user’s role within the
organization, and limited for compliance purposes to those systems and
information resources that they need to have.
That said, the needs of individual users constantly change; promotions change roles, new arrivals need
to be provisioned, and leavers must have their systems access rights removed in a timely manner.
Security aligned with usability is what needs to be achieved. IAM provides tools that can deliver the
required objectives, but not without help from process owners and business managers.
Arguments against the efficiency of IAM and its ability to achieve the required user control objectives
suggest that previous generations of the technology were not up to the task because they focused purely
on the security issues. They did not do enough to deliver a sustainable model of continuous access.
Access governance that ensures that the policies of the organization are in alignment with the provisioning
and role management elements of IAM is what is required. However, delivering this balanced approach
requires the skills of a knowledgeable management team, good administration, and effective levels of
automation from technology that can fit with both operational and compliance requirements.
Compliance demands that users play their part
Technology can be used to provide as many automated processes as an organization demands.
Provisioning, password management, SSO and user self-certification processes have been improved
for the benefit of the business and to achieve cost savings using automation and self-help approaches.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
41
IAM technology
provides the tools to
ensure that
effective access
management
facilities can be
implemented across
organizations.
Business users can
play a primary role
in putting an
organization’s data
assets at risk.
The object is to
provide information
users with all the
access rights that
they need to do
their jobs.
That notwithstanding, any automated delivery approach is only as good as the back office rules,
processes, and management that have been put in place to deliver the service.

Provisioning facilities that are not properly controlled by strong rules and not regularly maintained by
administrators and process owners can result in users having open access where this is not
appropriate, or not enough rights to do their jobs.

Password management that is too easy to bypass or too complex to maintain has the same issues.

SSO that is delivered with the right levels of control can be extremely beneficial to users and the
business, but SSO without strong protection can put the whole organization and its information
systems at risk.
In all these areas, self-service and certification can have an important role to play, but to maintain
compliance, usage has to be aligned with levels of control that are appropriate to specific user groups,
roles, and access rights.
Role management helps to align many people-to-process issues
When organizations are looking to achieve that important balance between securing the business and
its information assets and the demands for open information access from users, strong and informed
business decisions are needed.
Since the first early-adopter IAM systems were deployed, there has been a
constant debate about how to make password management systems as
secure as possible, and the unreliability of static passwords. Provisioning
systems brought about an automated look and feel to the way that users
were provided with access to systems. However, as before, early
approaches lacked control and security, and many such systems continue
to be poor at managing the whole user lifecycle.
In some cases, typical problems that remain include the inability to
adequately control users that have out-of-date access rights, to deal with
users with more than one identity, and to completely remove access rights
from users that have left the organization but retain the ability to access
corporate information.
Without doubt, the provisioning systems provided by some IAM vendors
are more inclusive and better at controlling user and full lifecycle
management issues than others, but in many cases, more work is needed.
Alongside the use of provisioning services, role management facilities are
receiving a significant amount of attention. Role management is being
deployed so that organizations, especially those of a significant size and
with an enterprise infrastructure, can be managed in line with the
requirements of the business. One strong argument in favor of the
approach is that the protection requirements of businesses include regulatory compliance, and the
delivery of role management services takes this into account.
When used correctly and directed towards the combined security, compliance, and operational
requirements of the organization, role management facilities allow job functions to be structured and
defined into categories that are aligned with operational and business access needs.
Systems administrators and business managers have the opportunity to define and structure roles and
user groups to match their business operations, these can be categorized by local departments to
particular projects, or defined by geography or business unit.
Role management delivers the type of structure to IAM that aligns its use with the operational and
compliance requirements of the business and its users. For IT and process owners, the structure that
role management brings with it provides visibility into an organization’s user access credentials; all
existing roles are defined and visible, and setting up new roles becomes more straightforward while also
meeting business and IT infrastructure demands.
IDENTITY AND ACCESS MANAGEMENT 2011/12
42
...typical problems
that remain include
the inability to
adequately control
users that have out-
of-date access
rights...
Alongside the use of
provisioning
services, role
management
facilities are
receiving a
significant amount
of attention.
Using a top down approach, role management can be linked to business
process usage and, because business processes need to take in
compliance requirements, the approach pulls together business and IT
requirements. Like any other set of IAM components, role management
services are only as good as the people who manage their use. Roles will
change on a frequent basis. Users within groups will change and move on.
Provisioning allows users and their access rights to be properly controlled,
while role management adds further efficiencies as users are assigned to
roles and roles are linked to business operations.
3.7 Achieving and proving compliance is a key
business objective
The difficulties of achieving compliance need to be overcome
The scope of regulatory compliance demands can be extensive. For governments, they cover international,
national, and local controls. For each business area, standards can be industry specific (HIPAA in
healthcare), or cut across boundaries (PCI DSS, which covers the protection
of financial transactions across many business areas). The one thing that
rarely changes is that new elements of regulatory compliance continue to be
added. Regulations and standards are tightened, extended, and often made
more difficult to achieve, and on each occasion, the emphasis is always on
organizations to find a way to comply.
Technologies such as IAM have a role to play
and can be used to improve and add
efficiencies to an organization’s approach to addressing compliance
demands. The role as a compliance-enabling technology is to deliver
automation and control to compliance processes. Business managers need
to be able to prove that compliance objectives are being achieved. IAM and
its reporting services can be used to help with this. Management also needs
to put in place operational policies that employees and other affected users
can understand and follow without it having an adverse impact on their day-
to-day activities. IAM provides the infrastructure to achieve this.
For business managers, it is important to be continually aware of
compliance demands and to be sure that they are being addressed. It is
essential to be able to validate the compliance position and support this effort with procedures and
reports that prove an organization’s status. These are areas where compliance-enabling technologies
such as IAM can help.
Make use of technology and processes that validate compliance
The most effective approaches to achieving compliance involve the use of practical systems controls.
Cost and efficiency demands drive the need to ensure compliance can be delivered as easily and as
efficiently as possible.
Establishing processes and making use of technology that addresses
particular regulatory issues is a good way to start down the road to
compliance. There is also a requirement to be able to prove that an
organization is compliant. To achieve these objectives, business and IT
managers must ensure that their processes are executed in line with
company rules and be able to prove that during audit.
When looking at the use of technology from a compliance perspective,
there is a need to consider whether it can be deployed across all areas of
the business, whether its services and management reporting can be
centrally managed, and from this, whether reports can be generated that validate its effectiveness.
CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE
43
The scope of
regulatory
compliance
demands can be
extensive.
Cost and efficiency
demands drive the
need to ensure
compliance can be
delivered as easily
and as efficiently as
possible.
Like any other set of
IAM components,
role management
services are only as
good as the people
who manage their
use.
Technologies such
as IAM have a role
to play and can be
used to improve and
add efficiencies to
an organization’s
approach to
addressing
compliance
demands.
3.8 Recommendations
Recommendations for enterprises
The deployment of IAM technology should be seen as a vital component of an enterprise security and
compliance strategy.
The use of IAM is foundational to controlling who has access to operational information systems.
Knowing which users are allowed to have access to which information systems and aligning control with
the operational rules and access policies improves an organization’s security position and helps toward
achieving regulatory compliance.
Domestic, industry related, and international regulations all have an impact on the actions that
companies must now take in order to remain compliant.
IAM can deliver services that are relevant to business improvement, continuity, protection and
compliance.
Recommendations for vendors
There is a growing need to provide IAM technology that delivers business improvement and continuity
benefits, and at the same time supports security and compliance demands.
Over complexity has been a problem in the IAM sector, therefore further improvement is needed to
make sure that good quality IAM services are also easy to use.
Government and industry regulations demand that organizations exercise proper control over customer
and financial data and business-sensitive systems. The ability to identify and control user access is
fundamental to achieving these objectives.
IDENTITY AND ACCESS MANAGEMENT 2011/12
44
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 4:
Identity services in the cloud
Butler Group
Incorporating
OVUM
4.1 Summary
Catalyst
We are entering an exciting period in the development of Internet identity services. They
promise greater convenience for users, higher conversion rates from enquiries to sales for
Internet merchants, and greater assurance for Internet-facing businesses, including
government websites. They offer increased scope for performing trusted and high-value web
transactions. However, “identity” comprises a portfolio of personal information – it is much
more than establishing a user’s name – and the centralization of a user’s Internet activities
around a single identity provider increases the risk of privacy violations and fraud based on
impersonating the real user. The industry must address the new risks that come with this
change.
Ovum view
The entry of the US government into the Internet identity services market, will kick-start the sector.
Inevitably, the emergence of a large guaranteed federal market stimulates the supply side to meet the
demand. Already, the standards community has responded by defining a tiered model of different levels
of assurance, and the processes needed to underpin each level. Auditing standards to ensure
compliance with these standards are following.
The tiered model is crucial for the development of identity-providing services. It not only gives
assurance to relying parties, it also provides a basis for determining the value of each band of
assurance. This, in turn, provides the basis for a business model for the providers and an appropriate
limit of liability for identity service providers.
Closed “circles of trust”, embracing collaborating organizations in a federated identity-sharing paradigm,
have largely sidestepped issues relating to business models and liability because they are a partnership
of equals who all benefit from the collaboration. The participants are prepared to share risks and costs
to enjoy the benefits of collaboration. This model will not, however, extend to working in the open
Internet.
So far, we have not seen a viable business model for identity service providers. In future, the relying
party will have to pay when people use an identity provider’s service to access the relying party’s site.
The alternatives do not address the need. We cannot expect the identity subject to pay. Internet users
are extremely reluctant to pay for anything, and are particularly unwilling to pay for something that
seems like an administrative overhead. Today, many embryonic services rely on government subsidies,
but this source of revenue will not grow; rather, it is likely to shrink. The advertising-funded model has
been tried but it is doubtful how far this model can be expanded in a privacy-sensitive area. Higher
levels of assurance incur higher costs and lower levels of exposure, since high-value services account
for only a small proportion of Internet transactions. The advertising model will therefore not support a
comprehensive identity provider sector. The only remaining source of
revenue is the relying party. The relying party benefits from the assurance
work that the identity provider has carried out, and from not having to
maintain its own identity ecosystem. This is the only viable business model.
Liability issues appear to be even more intractable than those of financing
identity services. However, this may not be the case in practice. We need
to be pragmatic. We have lived with managed service providers of various
types for many years. None of them offer compensation based on their
clients’ business loss when their service fails. Identity providers must offer
compensation for errors that is proportionate to the fees they charge for their service. This is the best
compromise that is achievable; it is not the practice today, but it is affordable since it relates to revenues
and a provider’s ability to pay. It is only feasible where the relying party pays for the service, in order to
establish the parameters of the potential compensation payment.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
47
Liability issues
appear to be even
more intractable
than those of
financing identity
services.
Key messages
The need for an Internet identity is now recognized.
Several levels of identity assurance are needed.
Legal and commercial issues are still of paramount importance.
Technology is being developed for Internet identity.
4.2 The need for an internet identity is now
recognized
The Internet identity ecosystem
Today, identity resides largely in individual websites with no interaction between them. Users have to
identify and authenticate themselves to each site or service to gain access, ignoring those passive
information sites that have no access control. Once users have given personal information to a site,
they have no control over how the information will be used. Site operators
have very little confidence in the accuracy of the information they are given.
An identity infrastructure that works across sites must be based on policy
and semantic interoperability. We therefore require standards that go
beyond the syntactic and semantic levels and embrace business process
issues such as assurance, privacy, and liability. They must be both privacy-
enhancing and cost-effective for both users and website operators.
The key elements of an Internet identity ecosystem are shown in Figure 4.2.1.
Solid lines show mandatory flows, while dotted lines show alternative flows.
IDENTITY AND ACCESS MANAGEMENT 2011/12
48
Once users have
given personal
information to a
site, they have no
control over how the
information will be
used.
Identity provider
Identity broker Identity subject/user Relying party
Identity
credential
Attribute
selector
Required identity
attributes
Session connection
is established
Figure 4.2.1 Internet identity
ecosystem Source: Liberty Alliance (Kantara)
The identity subject can request an identity credential satisfying the requirements of the relying party
with which they want to do business. This can be done either directly or through the services of an
identity broker. The subject then has the option of filtering out attributes in the credential that are not
needed by the relying party, if the protocols and the credential structure allow this. When the relying
party is satisfied with the assurance it is given, it will open a session with the identity subject. The relying
party may be able to share the credential with other relying parties to enable a single sign-on (SSO)
session with multiple sites or service providers.
The business imperative
The Internet today is a wide-open, global communications medium. Most organizations have set up
camp on its infrastructure and started communicating with customers, potential customers, suppliers,
business partners, and others. Many of them are conducting transactions
across the medium. However, each of these “camps” is a silo, operating
independently of other camps, apart from using the standard
communications protocols that the Internet provides.
An interoperable identity infrastructure that would be recognized at multiple
websites would provide a major advance towards a truly connected world.
Businesses would be spared the cost of maintaining their own identity
databases, users would find it easier to do business with multiple sites by avoiding lengthy registration
processes and by not needing to carry sets of credentials for every website they visit, and the overall
security of Internet transactions would be enhanced.
For example, in the legal profession, notaries are trying to move from paper-based to electronic
baselines. They are hampered by not having access to background databases for identity profiling.
They could also validate electronically signed documents if there were highly dependable identity
services available.
The challenges
There are numerous difficulties facing those who seek to build such a vision,
which have prevented progress over the last decade. The technical
obstacles have now largely been overcome, but the business issues
associated with constructing such a “web of trust” are still formidable. We
must look for an incremental development of identity services that will
eventually gain sufficient momentum to become self-perpetuating. Business
issues include determining legal liability, the building of a viable business
model for identity providers, and understanding what an identity service
actually delivers and what we mean by “identity”. The process of registering
individuals in an identity service will inevitably remain one where business
process issues outweigh technical difficulties. We need standards,
processes, and auditing frameworks to ensure a dependable quality.
Where the need lies
Today, identity providers are typically in the government, banking, and telecommunications sectors.
Identity relying parties come from the same sectors and from the merchant sector.
Internet identity is gaining momentum
Despite the difficulties of finding a viable business model, reliably enrolling users, determining legal liability
and understanding the role of an identity service, progress is now being made. The US government under
President Obama has thrown its weight behind Internet identity services as a
means of encouraging citizens to interact with the government online, and of
cutting the cost of maintaining its own identity services by leveraging services
in the private sector. Online services are generally cheaper to provide than
more conventional forms of interaction between governments and citizens. In
addition to the financial impact of the US government’s initiative, it is driving
standards, and in particular, it has defined levels of trust that identity services
must deliver. The government’s four-tier model has won acceptance in the
wider community and starts the process of determining the level of reliance
that can be placed on a particular identity providing service, and the level of
rigor that an identity service provider must use when registering a subject.
Levels three and four of the authentication model apply to situations where
the consequences of an error go beyond financial loss. These moves therefore establish a framework in
which the business sector can start to build services.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
49
The process of
registering
individuals in an
identity service will
inevitably remain
one where business
process issues
outweigh technical
difficulties.
The Internet today
is a wide-open,
global
communications
medium.
Online services are
generally cheaper
to provide than
more conventional
forms of interaction
between
governments and
citizens.
The OpenID movement has produced the most interoperable identity service so far. However, its initial
objective was to provide more convenient access to social networking services, and registration within
OpenID is largely self-certified. It is therefore aimed at applications where
the requirement for assurance is relatively low. In its core sector, OpenID
has been very successful. There are 250 million OpenID identities in
existence, and these are accepted at more than 10,000 websites.
Nevertheless, OpenID credentials are accepted at some e-commerce
sites, which are reporting a higher rate of enquiry-to-sales conversions than
sites that require proprietary registration. In this case, the benefits mainly
relate to avoiding the need for users to remember multiple passwords and
user IDs. The security requirement is low, as the part of the sales process
involving the payment card is not altered by the adoption of OpenID at the
entry to the website, and is still subject to the rules of the customer’s relationship with their card issuer.
Privacy and security concerns
The downside of Internet identity services is that they provide an accumulation of personal information
in a single location, and a single point of operational failure. Privacy concerns must be addressed.
A person’s “identity” is much more than a name tag. It comprises a repertoire of personal information
and a log of actions relating to the identity provider. When the identity provider expands its role to
participate in transactions between the individual and other organizations, its view of the individual
grows significantly. It can track a person’s Internet behavior and relate this to the more static identity
attributes that it holds. Identity abuse by identity providers threatens security as well as privacy. Either
the identity provider, a rogue employee, or some other hacker could misuse this information. They could
impersonate the identity subject in fraudulent or criminal transactions, as they would hold both the
means of identifying and authenticating the victim. A rigorous code of conduct or a legal framework is
needed to protect privacy from this new threat.
The high-assurance identity market needs to move out of the public
sector
The identity service provider market is still in its infancy, and scarcely exists at the high end of the trust
scale. The current user registration process of each organization is rarely
visible outside of an organization; however, there are legal requirements
governing registration procedures in parts of the government sector, in
some professional occupations including healthcare, and in the financial
services sector (as a result of anti-money-laundering regulations). High-
trust inter-organization e-identity networks are mostly government
regulated (for example, in defense clearance procedures), but the use of
government-controlled schemes by the private sector is as yet very limited.
More interoperability between the two sectors is needed. In the EU, people
generally look to the government sector for trusted identities (for example, ID cards and passports),
while the US government is actively seeking more involvement from private sector players.
4.3 Several levels of identity assurance are
needed
Online identity needs to follow successful models from the physical
world
The notion of having identities with different levels of assurance is sensible, and is consistent with
traditional human patterns of interaction. The definition of a system for categorizing an identity is a major
step forward. As the notion of multiple tiers of identity assurance services gains acceptance, we are tying
the concept of identity assurance more closely into a risk management context. This can be seen across
the world, as credit reference agencies play an increasing role in delivering identity assurance.
IDENTITY AND ACCESS MANAGEMENT 2011/12
50
The OpenID
movement has
produced the most
interoperable
identity service so
far.
The identity service
provider market is
still in its infancy,
and scarcely exists
at the high end of
the trust scale.
Identity comprises a large range of personal attributes. No one supplier could provide a complete
“identity” for an individual, even if the privacy issues resulting from such a concentration of personal
data could be resolved. The view of identity that an organization has of a particular individual is based
on the relationship that the individual has with the organization, as is the level of confidence that can
be placed on the identity. For example, the level of confidence that a bank has in a customer’s identity
will depend in part on how long the person has been a customer, and whether the bank has been their
only financial services provider. It will therefore not always be possible to provide a subject with the
highest levels of identity assurance.
Conversely, the relying parties have different needs for identity assurance, depending on the value of
the transaction that they are engaged in and the risks associated with it. There is a need for a range of
identity services, and the system can be made more cost-effective by spanning the spectrum from
“cheap and cheerful” to “high assurance”.
Online identity requirements
The challenge for anyone trying to specify a system for online identities is to provide interoperability,
usability, and transparency.
Online identities today typically give a low level of assurance, whereas the
physical world is characterized by high levels of identity assurance backed
by organizations with substantial assets or interests at stake, issuing
identities that are accepted by other organizations, as well as long and
deep personal relationships.
OpenID shows the opportunities and the
challenges
Today, OpenID is often used as a second level of authentication in addition to a proprietary registration
and authentication process. While this gives it valuable exposure, it also shows the limitations that have
to be overcome if it is to replace existing processes.
OpenID was initially designed as a means to let people put comments on blog sites. You can use an
account on one service as a means of logging on to another service. High-trust e-IDs are rare, but low-
trust e-IDs can stimulate interest across the board. It has been shown that e-commerce sites accepting
OpenID get higher conversion rates from enquiries to sales than sites that
only accept proprietary registration. Using OpenID in preference to a
bespoke identity repository also reduces support costs. High-trust OpenID
providers, whose tokens can be reused more generally on other sites, are
starting to appear. They need an accepted standards framework to
differentiate their offerings from the mass of low assurance OpenID
credentials in circulation.
The OpenID protocol lets users select the attributes of their ID that they wish to share. This is essential
to protect the privacy of the identity subject when they begin to interact with both high- and low-value
domains. It also provides SSO to multiple sites and services. OpenID also provides brand promotion
opportunities for identity service providers.
Experience of OpenID led to the specification of the OpenID ICAM profile,
which is now specified in US government requirements.
Leveraging government standards
Standardizing identity and authentication processes strengthens security
and reduces costs. The US government has established itself as a leader
through its market power and is moving in this area before most other
organizations.
The framework emerging from the US government envisages a four-tier model for categorizing identity
provider services, and this is winning general acceptance in the industry.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
51
The OpenID protocol
lets users select the
attributes of their ID
that they wish to
share.
Online identities
today typically give
a low level of
assurance...
Standardizing
identity and
authentication
processes
strengthens
security and
reduces costs.
Credentials will need to be available with four levels of assurance to correspond to this standard.
OpenID Exchange has set up a gathering of Internet and telephone companies to create a trust
framework for use by multiple governments (initially the US, UK, Canadian, and Japanese
governments). Their criteria are in the public domain. These comprise
technical standards and policy (rules and tools) that are certified by OpenID
Exchange and based on standards that have emerged from bodies such as
Kantara.
Enterprises, like governments, have different types of resources to protect
requiring different levels of security, although level four assurance goes
beyond what most enterprises require, and most enterprises will only use
the first three levels of the model. International Organization for
Standardization (ISO) standard 29115 defines trust levels in user registration processes to support the
model. Most protocols can already communicate levels of trust within an identity credential. National
Institute of Standards and Technology Special Publication (NIST SP) 800-63-1 (the “Electronic
Authentication Guideline”, published in December 2008) suggests authentication methods that are
appropriate for each level of identity assurance, using single-factor and multi-factor authentication. The
model is expressed in economic terms. NIST SP 800-63-1 also lists a spectrum of devices and their
underlying technologies that can be used for each level of authentication. Thus, we now have guidelines
covering identification, registration, and authentication for a multi-tier model.
US government requirements have also driven cloud-related security standards such as Security
Assertion Markup Language (SAML), InfoCards and Extensible Access Control Markup Language
(XACML).
The PIV standards
Personal identification verification (PIV) provides interoperable and shared identification across the
Internet and physical environments. It is discussed here because it is another manifestation of a
common identity infrastructure, driven out of US government programs,
although it is not a basis for an Internet identity service extending into the
consumer sector.
The PIV standard started as a mandatory US government standard,
introduced after 9/11 for identifying and providing credentials for federal
employees and contractors. It defined a standard process for issuing smart
cards with public key infrastructure (PKI) and biometrics, incorporating the
card interface specified in Federal Information Processing Standards’
(FIPS) 201 standard. It was designed to control logical access, email
signing and encryption, file signing and encryption, network VPN access,
and also to be used for physical access using procedures defined in NIST
publication 800-116. The American National Standards Institute (ANSI) is
now working to make it more applicable for enterprise use by producing a superset of FIPS 201. The
new standard is known as ANSI Generic ID Card Specifications (GICS). This allows for extensions of
additional data elements and applications. The Federal CIO Council has defined two extensions to PIV
for civil application: PIV-I (interoperable) and PIV-C (compatible). Pure PIV is expensive to implement
as it has to satisfy secure government standards. PIV-I is based on federal standards so that it can be
used in the federal infrastructure. It requires the identity management systems and processes to be
externally audited.
Therefore, PIV-C is of more interest to commercial organizations, as a means of providing strong but
affordable verification. PIV-C is supported in Windows 7 and enjoys widespread support, with the option
of adding biometrics and physical access controls, along with other applications. The smart cards still
have to meet the PIV technical specification but the issuing process is more flexible. It provides strong
authentication for every application and access point. It can still support the protection of assets up to
level four, and can be implemented using standardized and reliable middleware.
IDENTITY AND ACCESS MANAGEMENT 2011/12
52
Enterprises, like
governments, have
different types of
resources to protect
requiring different
levels of security...
Personal
identification
verification (PIV)
provides
interoperable and
shared identification
across the Internet
and physical
environments.
PIV-C provides an enterprise with greater security, just as it does in
government organizations. Security is both strengthened and made more
affordable through standardization using its pervasive infrastructure and
open standards. It enhances interoperability because it is designed for
third-party integration into identity management systems. It gives
assurance that product components have met the specified standards, and
provides reliable middleware that is not limited
to specific use cases. The PIV Issuance model
represents best practice. PIV-C supports multiple authentication
mechanisms, including biometric and card-based approaches.
For the vendor, compliance with PIV-C opens up opportunities to sell to the
government as it is likely to be specified in future Federal Acquisition
Regulations.
The UK Police has adopted PIV-C, largely because it combines physical
and logical access controls. PIV-C allows BlackBerry email signing and support for mobile application
access control out of the box. It closes the mobility cloud security gap in a way that is transparent to the
user. Furthermore, intense vendor competition for government contracts reduces the price.
EU OpenID trust profile project
This project extends work on building an identity framework into the realm of auditing identity providers
and registration authorities. The need for a formal framework to regulate levels of trust has been a
fundamental stumbling block in previous attempts to establish Internet identity. Relying parties get
confused by the options and need a more “black box” approach. They need a trust framework in which
the level of trust in an identity can be easily assessed. ISO 29115 may be the answer to this need, but
the framework should also clarify the roles of authentication provider and
registration authority. The EU has set up a project to address these needs,
the evaluation of which is due in the first half of 2011.
4.4 Legal and commercial issues
are still of paramount importance
Business case development
Organizations in both the public and private sector want to embrace shared
services from identity providers to achieve operational efficiencies, to raise
security levels, and to increase the use of their online services. Technologists
have made considerable progress in defining standards for interoperable
identities and developing secure protocols. However, while businesses are
keen to consume identity services, in terms of becoming “relying parties”, there remains the problem of
determining when you can trust the registration process of the identity provider. Closely associated with
this is the lack of a legal liability model that is acceptable to both sides in the identity services market.
These factors make it difficult to establish a business and financial case for becoming an identity provider.
A business case for both identity providers and relying parties depends on generating excitement for the
service from potential personal users. Privacy is a core issue. It is essential to win the trust of users as
well as relying parties. The business case depends on each enrolled individual making frequent use of
their identity services, both to ensure that identity providers’ assets are well used and that the relying
party’s online business increases. Ease of use of an identity providing service is essential to generate
increased use of web services and increased conversion of browsing enquiries into e-commerce sales. It,
in turn, depends on familiarity and frequent use, creating a potential “Catch-22” situation.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
53
The UK Police has
adopted PIV-C,
largely because it
combines physical
and logical access
controls.
PIV-C provides an
enterprise with
greater security,
just as it does in
government
organizations.
Organizations in
both the public and
private sector want
to embrace shared
services from
identity providers to
achieve operational
efficiencies, to raise
security levels, and
to increase the use
of their online
services.
Commercial models
One size does not fit all needs in identity services. People may trust Google Apps, but Google ID still
lacks cross-enterprise credibility. The field today is largely government regulated and emphasizes
privacy. The need for identity services to support transactions is currently
limited, but this will change in future; public/private sector interoperability is
the next step.
Today, Internet identity services are largely government-subsidized, ad-
funded, or simply driven by enthusiasm. None of these will extend to
providing universal services. Users are reluctant to pay for online services
of any kind, therefore the long-term business model must be funded by the
relying parties.
The enterprise is a natural identity provider in the business context. It could
provide services on the Internet, but the attributes required for business
and consumer activities are different, and social use of a business identity
would implicitly expose who the subject works for, while businesses baulk
at the potential impact on their brand of association with uncontrolled
private use of their service.
Below is an overview of the characteristics of some existing e-ID services, particularly in Europe:

CardSpace is user-centric. The user establishes an identity by self-registration or by leveraging an
existing identity from another identity provider. Transactions will require identity cards that satisfy
certain criteria to be used. There is not yet any business model for building on CardSpace. It is quite
difficult to set up.

Google Apps work in the Web 2.0, cloud computing and software as a service (SaaS) domains.
Again, identities are self-asserted or imported from other identity providers. Google Apps provides
transaction authentication and authorization (OpenID and SAML-based), financed by advertising.
Google promotes its use. Google policy governs privacy, and Google does not accept any liability
for errors, so it does not recommend the service for high-value transactions. However, the service
is widely used in the education sector in the Netherlands.

OpenID is mostly used in the Web 2.0 domain. Users self-register and identity is based on domain
name servers. It is used for transaction authentication and profiling. Its business model is based on
its low cost and its ability to increase website business. It offers limited privacy and trust.

SURFfederatie is a Dutch universities scheme for the education domain. It reuses local user
registration and provides transaction authentication and authorization. Its business model is that of
a subsidized service. Privacy and trust are regulated through the existing practices of the education
sector.

DigiD is used for government services for citizens in the Netherlands, with registration carried out by
local authorities. It is used for transaction authentication. Its business model is government subsidy,
and its identities are typically used only a few times per year for each citizen. Privacy and trust levels
are government controlled.

BankID is a Swedish service used in the government and private sectors. Banks handle user
registration. It is used for transaction authentication, digital signing, and mobile e-identity. The
business model is to target massive use over a wide range of transactions. Privacy and trust are
regulated by the bank sector.

The Estonian e-ID card is used for government services and trusted transactions, including the
digital signing of documents. Registration is carried out by local governments. The business model
targets a large range of transactions, combining a small user fee with a larger service provider fee.
The privacy and trust policy is regulated and run by a public/private consortium.
IDENTITY AND ACCESS MANAGEMENT 2011/12
54
People may trust
Google Apps, but
Google ID still lacks
cross-enterprise
credibility.
The enterprise is a
natural identity
provider in the
business context.
Assurance versus privacy
The process used by identity providers to establish confidence in a subject’s identity involves an activity
known as “identity consolidation”. This brings all the available information it
can gather about a data subject into one place. There are clearly risks if this
central repository is breached.
An identity provider becomes a “single point of failure” from a privacy
perspective, as both personal information and the user’s Internet behavior
history are concentrated in a single location. This issue will require
particular attention.
“Minimal disclosure” is a means of distributing a set of claims under the user’s control, blanking out
information in an identity certificate that is not relevant for the transaction that it is to be used for. Under
this scheme, the identity provider provides a credential to the identity subject, who controls its
rationalization to exclude unnecessary information. The technical challenge is to provide a way in which
this can be done without breaking the digital signing of the credential. Microsoft’s U-Prove has achieved
this (see the chapter on U-Prove below for more details). It has the advantage of eliminating
unnecessary proliferation of personal information across the Internet, and that the identity claims
providers do not know how the claim will be used.
Banking regulations
Online banks want to move from access control based on user ID and password but are wary of
customer resistance. Currently they have to do some authentication in house to satisfy regulatory
requirements, so many think it is simpler to do all of the access control task in house than to split the
task with an external identity provider. This is slowing the growth in Internet identity services, as banking
could be a “killer application” driving the sector.
Identity brokers
There is another potential role in the identity services market: an e-identity broker to select a suitable
identity provider for a particular situation. Such players could stimulate competitiveness in an open market.
The brokers would have to be independent of the e-identity providers. When selecting an e-identity
provider for a particular purpose, the broker would need to classify each e-identity provider according to
its intended domain of use, how users register, how authentication works at the time a transaction is
performed, the business model of the service, and the privacy and trust policy of the identity provider.
4.5 Technology is being developed for internet
identity
Open Identity Trust Framework
The OITF (Open Identity Trust Framework) is built on the principle of openness, and affords
transparency, accountability, and open competition. It consists of:

A set of technical, operational, and legal requirements and enforcement mechanisms for parties
exchanging identity information.

Oversight mechanisms to look after these requirements and mechanisms to support the flow of
information among users, identity service providers and relying parties.
The next step for the OITF is to look at governance, accountability, and what market structure is likely
to emerge.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
55
An identity provider
becomes a “single
point of failure”
from a privacy
perspective...
The Federal Identity, Accessing and Credential Management (ICAM) Trust Framework comprises
technical profiles for protocols (info cards, SAML 2.0, OAuth2 and WS-Fed), and policy comparability
(covering the trust framework provider adoption process). So far, three trust frameworks are embraced:
OpenID Exchange (OIX), Kantara, and InCommon. The ICAM Trust Framework is already working at
level one of the trust model. It is developing procedures for levels two and three.
OASIS ID Trust
OASIS standards are widely accepted and tested for interoperability. Identity claims mechanisms are
valuable for preserving privacy and limiting the flow of personal information
to the minimum required by a relying party. Commercial off-the-shelf
software such as Microsoft Active Directory Federation Services (ADFS)
supports OASIS identity claims mechanisms.
The ID Trust member section promotes standards-based identity and trust
infrastructure technologies, policies, and practices. CA and Red Hat are on
the steering committee, with many major vendors in the membership, such as EMC, GSA, HP, IBM, and
Microsoft.
Claims are statements made by one subject about another subject. No information needs to be held
within the claims service – it just has to handle the workflow between the identity provider and the
relying party. There is a need for a claims API, a claims service, and an identity selector that can allow
the user to be part of the process by selecting how claims about them are
to be satisfied. Cloud service providers are starting to support the model,
but it is important to use widely accepted standards such as OASIS to avoid
proprietary lock-in to a particular service.
U-Prove
U-Prove is a Microsoft technology that allows users to build electronic
tokens for specific transactions. X509 protocols use two unique identifiers:
a public key and the Certification Authority signature of this public key. The
identity provider provides attributes in signed form. U-Prove is designed
with “privacy built in”. It allows users to black out attributes that they do not want to forward, without
wrecking the entire certificate signature. The relying party’s public key is hidden from the identity
provider; however, token attributes can be placed in an “attribute” field in the certificate.
U-Prove is published as an extension to CardSpace and Windows Identity Framework. Microsoft has
open-sourced the crypto software development kits (SDKs). U-Prove provides:

anonymized and pseudo-anonymized identity;

full identification;

accountability;

minimized identity disclosure;

user control over information disclosure;

strong authentication;

resistance to phishing attacks;

efficient hardware protocols.
It is based on technology that Microsoft acquired with Credentia, and is currently available for trial
online. There is also the option to add a smartcard in the end-user device to protect against spyware.
U-Prove still needs to go through the standards process (NIST or ISO), but a European standardization
process is already under way and is expected to take three years. The Microsoft standards team is
working in parallel with the European effort.
IDENTITY AND ACCESS MANAGEMENT 2011/12
56
OASIS standards are
widely accepted and
tested for
interoperability.
U-Prove is a
Microsoft
technology that
allows users to
build electronic
tokens for specific
transactions.
National ID cards and mobile phone SIM cards
There are many authentication tokens in circulation, including national ID
cards and mobile ID (namely SIM cards). Both need a smart card reader to
connect to a PC.
Mobile-phone-based identity services have only limited value. There is a
high churn rate for mobile phones, making the ongoing cost of managing
devices high. The process surrounding the sale of a mobile phone does not
generate high levels of identity assurance.
Combining PKI and IAM
While there is potential value in connecting digital certificate issuance and access management, there
are also counterarguments for keeping them separate.
PKI comprises components, processes, and policies to manage digital certificates. PKI could profit by
enrolling people based on the registration process already done by an identity provider, and
automatically adopting any changes in this identity database. PKI could then issue certificates to
servers used by the identity subject. PKI brings encryption and non-repudiation capability to support
online transactions. Vendors that have adopted this combined view include:

Entrust.

Microsoft, which has linked its Identity Integration Server with its Certificate Lifecycle Manager in its
Forefront Identity Manager.

Cryptovision, which integrates with Novell identity management products, and also has prototype
integrations with IBM products. User data are not passed to the Certification Authority.
However, there are no standards for connecting identity management and PKI, and security may be
reduced by the integration. FIPS certification of products is difficult without a clear separation of
functions, and users risk becoming locked into proprietary technology. RSA Security is also moving
away from combining authentication and digital certificates.
Orange ID selector
Orange has a history of working as an identity provider:

2007: Orange externalizes Orange identity in OpenID.

2008: Orange opens its service to external identities.

Second quarter of 2010: Orange allows users to use any identity.
Orange manages more than 100 million identity accounts across seven countries. SSO is provided
through Liberty Alliance (Kantara) specifications. Network parameters are used implicitly in identification
and authentication. Over 185 services are federated to the identity platform covering web portal
services, widgets, desktop applications, VoIP, IPTV, WAP, and mobile applications, and Livebox home
gateway applications.
The majority (90%) of Orange users avoid the need to enter usernames and passwords by using device
recognition. The service doubled the usage of Orange communication services when it was introduced
in France.
The relying party wants a diversity of identity providers, but the user wants to use the same provider as
much as possible. The identity provider wants to play a role in as large a range of transactions as
possible. Orange ID Selector is a new tool in the authentication scheme. It is an agent that reconciles
these views, and maintains a direct business relationship between the identity provider and the relying
party. The user sees a single interface from which to select an identity. It is designed to be easy for a
relying party to integrate with their system.
CHAPTER 4: IDENTITY SERVICES IN THE CLOUD
57
Mobile-phone-based
identity services
have only limited
value.
4.6 Recommendations
Recommendations for enterprises
Both standards and technology are being developed for Internet user identity services. These are
mainly of interest for communicating and transacting with people that have a shallow but financially or
contractually significant relationship with a provider; for example, they are more relevant for
communicating with customers than with employees. When these services are more developed, they
will be attractive for relying parties, both in terms of cost and identity assurance. You must expect to pay
for a dependable service, but the cost should be less than maintaining a proprietary registration,
identification, and authentication regime. Take care to ensure that the business model, including the
liability model, suits your business relationship. Also, be wary of mixing business and personal identities
too closely. Business identities, with the attributes appropriate for business relationships, are unlikely to
be adequately supported by public services. Identity federation across business partners is a better
approach for corporate collaboration scenarios.
Recommendations for vendors
The identity services business cannot have a viable future without a universal basis for identity
classification, assurance, authentication and registration. An auditing framework will be needed to
maintain these standards. These standards are now emerging and all service providers should adhere
to the common standards to maximize interoperability between service providers.
The “single point of failure” issue is a serious risk to the credibility of the sector. Suppliers must ensure
that the theoretical risks of concentrating identity information (including online behavior records) in a
single location do not become real risks. As well as maintaining the highest standards of security,
auditing, and staff vetting, they should minimize the amount of information they hold, and distribute it
around their organization as much as possible.
The business model for the supply side is still far from clear, and this will determine the speed with
which identity services develop. The role of the US government in the market will be crucial for
stimulating the market, and Ovum anticipates that its impact will ripple out across the Internet into other
countries. Other governments are likely to follow its lead, although individually, their impact will be
limited. User familiarity with services at the lower levels of identity assurance will help to stimulate the
market for higher value services.
IDENTITY AND ACCESS MANAGEMENT 2011/12
58
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 5:
Federated identity
Butler Group
Incorporating
OVUM
5.1 Summary
Catalyst
The role of federated identity management (FIM) is to provide functional and secure operational
environments where users of one business domain can seamlessly access the systems and
information of another. In business-to-business (B2B) relationships, the goal is to achieve these
objectives without having to stitch together separate identity management systems. The larger
requirement for federation extends beyond pure B2B relationships and takes into account the
needs of all consumer groups.
Ovum view
For systems users who struggle to maintain an ever-growing number of online identities in their
business and private lives, the availability of effective FIM cannot come soon enough. The headlines
suggest that federation services support business efficiency, can deliver inter-company collaboration,
and provide cost and efficiency savings by supplying the tools required to build connectivity between
consenting organizations. It sounds too good to be true and, unfortunately for the vast majority of
businesses and information users, that remains the case.
Five years ago, the hype cycle was at its height. Most leading identity and
access management (IAM) vendors were giving the deployment of
federated identity solutions a high priority. They saw federation as a wide-
ranging opportunity to extend the scope of common IAM services such as
single sign-on (SSO) and user provisioning beyond corporate boundaries.
After all, some of the required standards through OASIS with Security
Assertion Markup Language (SAML) were already in place, and supporting
work from the respected Liberty Alliance was moving forward at a good
pace.
In the intervening years, progress has been slower than expected. Many of
the reasons why are not uncommon to IT: systems complexity, large
technology overheads, and unacceptably high project costs. On top of this, there has been a financial
downturn that has forced most organizations to cut back on new IT projects
and complex relationship and ownership issues specific to FIM.
Not all federation projects have been put on hold. There are a number of
good examples of successful FIM deployments, especially in the financial
services, healthcare, and government sectors. Importantly, all of these are
sectors do not engage with new technology until operational benefits have
been proved to a high degree of certainty. The operational advantages of
providing federated access to business information systems are not in
doubt. What still needs to be addressed, if take-up rates are to improve, are
cost justification issues and project complexity objections.
Ovum recognizes that business demand for FIM remains, but further
changes to the way that IAM services are delivered will be required to make
federation projects more attractive. Also, taking into account the time that
has already elapsed, the FIM value proposition is at a crossroads. Very large investments have been
made by IAM vendors to ensure its success, and interest from public and private sector organizations
remains. Therefore, significant progress now needs to be made.
CHAPTER 5: FEDERATED IDENTITY
61
Ovum recognizes
that business
demand for FIM
remains, but further
changes to the way
that IAM services
are delivered will
be required to make
federation projects
more attractive.
There are a number
of good examples of
successful FIM
deployments,
especially in the
financial services,
healthcare, and
government
sectors.
Key messages
Organizations can benefit from using a federated approach to identity management.
Drawing up clear rules of engagement is important.
Making better use of standards is the way forward.
Take-up has been slower than expected – higher levels of B2B usage are required.
5.2 Organizations can benefit from using a
federated approach to identity management
Federation offers advantages and convenience to enterprises and users
Organizations continue to look for innovative and effective ways to deliver their services. The
automation of operational systems together with the ability to collaborate and share vital information
with business partners is one important way of achieving those objectives.
The use of technology allows businesses to
run lean and efficient supply systems. To
support this approach, organizations rely on all
required components being available at the
optimum time. Having full visibility of stock
levels, product delivery dates and new pricing
tariffs, among others, even when that
information is the property of a partner organization, adds real value to
decision-making processes.
The operational requirement is for secure open access to shared business
systems to be assured for authorized users, and for accurate information to
be made available whenever it is needed. Within the IAM product portfolio,
FIM technology is used to help deliver collaborative services to groups that
wish to share business information using common access and
authentication approaches.
FIM technology can be used to create local as well as global interoperability between online businesses
and trading partners using agreed identity management approaches. Utilizing an SSO approach, it
allows users to move between business systems of their own organization and beyond corporate
boundaries to access third-party systems.
Sharing information resources is not a new concept
The concept of federation is not new. Organizations have always shared process information using a
variety of approaches, governments authenticate their citizens to travel
across borders using passports, and banks and retailers accept credit and
debit cards as proof that the owner has the right to purchase goods across
all suppliers that accept the credential.
The advantages that federation provides add process, operability, and control
to the interactions between organizations and their users. Setup and usage
needs to be based on business requirements, regulatory controls and
technology-driven agreements that allow companies to interoperate based on shared identity management.
IDENTITY AND ACCESS MANAGEMENT 2011/12
62
The use of
technology allows
businesses to run
lean and efficient
supply systems.
Organizations have
always shared
process information
using a variety of
approaches...
FIM technology can
be used to create
local as well as
global
interoperability
between online
businesses and
trading partners
using agreed
identity
management
approaches.
To prove effective, the advantages to the organizations involved should include a lowering of overall
identity management costs and operational efficiency improvements through the use of extended SSO
facilities, which also helps to deliver a better user experience for all.
In order to provide secure service delivery and information access, the FIM methodology leverages
secure identity portability by simplifying administration across business boundaries. The approach has
to have the ability to operate using common and agreed rules, access policies, and authentication that
fulfills the operational requirements of each partner in the relationship.
For federated identity management to be effective, partners must
share a sense of mutual trust
The success of any federated identity project relies on two things: a bond
of trust existing between the parties involved, and technology controls to
ensure that trust is maintained. Organizations that agree to share
information must put in place processes that control who the authorized
users are, what type of authentication will be required to allow access, and
how those controls will be maintained.
The trust element remains important because each organization relies on
its partner to maintain standards, control their users, and ensure that
provisioned access rights are kept up to date. The issues that need to be
addressed involve information security, regulatory compliance, and audit
requirements. Trust between the parties involved forms the foundation of
their operational relationship, but realistically, more contractually binding
legal ties between the parties involved will normally be part of any formal
agreement.
Authentication data can be passed across secure domains to business
partners, enabling SSO to extend beyond organizational boundaries
FIM is not set up to be an SSO client, server, or application, and does not deliver SSO in its own right.
However, through integration with IAM and the use of standards-based approaches such as SAML,
common user access across participating domains is achieved.
Using a standards-based approach, FIM enables a user’s authenticated identity in one domain to be
accepted for access to resources in another without the need for re-authentication. Delivering extended
SSO controls provides operational efficiency savings that are valuable to users and participating
organizations. The additional ability to keep user and usage definitions up to date dynamically, without
further intervention, also helps to make federation a justifiable investment when the primary advantages
are aligned with the shared operational goals of the businesses involved.
Real-time communications technology allows business processes to be directly integrated across
system and business boundaries, while security considerations dictate that good-quality identity-based
access controls must be in place to protect business assets from compromise.
Security should not hold back the sharing of inter-company
information flows
It is not acceptable in today’s online trading climate for security to be seen as putting up unnecessary
barriers, especially if those barriers cause operational performance to suffer.
It is clear that the security elements of IAM that control which users are allowed to have access to
information sources must be retained and strengthened within federated relationships. Nevertheless, a
balance that allows operational efficiency alongside levels of systems and information protection that
all parties can agree on needs to be set.
CHAPTER 5: FEDERATED IDENTITY
63
The trust element
remains important
because each
organization relies
on its partner to
maintain standards,
control their users,
and ensure that
provisioned access
rights are kept up to
date.
5.3 Drawing up clear rules of engagement is
important
Trust is a vital component of successful federated relationships
As discussed earlier, among the core requirements of identity federation is the need to set up trust
relationships between participating organizations. At the very beginning of a project, clear rules of
engagement need to be drawn up and, dependent upon the relationships involved and any associated
regulatory issues, agreements may well need to be legally enforceable.
This is important because identities defined within one organization in a federated relationship are going
to be accepted by the other as valid and therefore trusted. As such, a strong business foundation to the
relationship must exist before things can go forward.
FIM supports loosely coupled through to legally binding relationships
Gaining a full and agreed understanding of the way that a particular relationship is going to operate is
essential. For example, it is crucial to know how the relationship will be aligned between the parties
involved. Will it be federated as a genuinely collaborative, loosely coupled,
many-to-many FIM environment, where the circle of trust is an evolving
environment that is flexible and open and can be added to as the need
arises? Or, will it be on a more fixed footing, where relationships need to be
controlled by a set of formally defined processes that involve fixed access
rules and usage policies?
There are also other options, such as one dominant player owning and
dictating how a relationship will operate. This could reasonably be
described as a master-to-slave environment, where one principal takes
responsibility for defining, owning, and controlling how relationship services
will operate, with other group members being expected to comply.
When deciding how FIM relationships will operate and what controls are needed to deliver the service
successfully, as a minimum, the following issues should be taken into account:

Which organization owns and controls the relationship?

Will this be an open or closed project?

What type and range of collaborative interactions will be involved?

How will the project be managed and how will management changes be controlled?

In either open or controlled FIM projects, how will new organizations joining an existing group be
added, and how should they be treated?

How will the issue of individual organizations leaving a relationship be handled and what controls
need to be applied to make this a safe process?

What happens when the relationship comes to an end? Can it be easily
wound up and what issues need addressing when it is?
Federation brings B2B relationships up to date
The use of federation based on shared identities and SSO controls brings
inter-company alliances up to date. When extending business
collaborations beyond straightforward one-to-one relationships, FIM also
provides the opportunity for more complex associations – often known as
“circles of trust” – to be set up.
As shown in simple diagrammatic form below, connected circles of trust can be defined to support a
variety of federated business relationships. For users and their organizations, each approach supports
SSO pass-through at the point of assertion between each participating organization.
IDENTITY AND ACCESS MANAGEMENT 2011/12
64
Gaining a full and
agreed
understanding of
the way that a
particular
relationship is going
to operate is
essential.
The use of
federation based on
shared identities
and SSO controls
brings inter-
company alliances
up to date.
Governing entity approach – the collaborative model
As shown in Figure 5.3.1, a group of founders (the governing entity) forms a management relationship
that establishes the rules and policy controls for ongoing membership that govern how a federated
identity group operates. This could be seen as a complex approach to collaboration, as each member
has approval rights, but it can also offer flexibility and control when determining the ability for members
to leave and new members to be admitted into the group.
CHAPTER 5: FEDERATED IDENTITY
65
Governing entity
Figure 5.3.1: Governing entity approach Source: Liberty Alliance (Kantara)
Founder approach – the consortium model
A fixed number of founders (the consortium) form an association using an agreed multi-party contract that
sets the rules that govern the relationship. Control stays with the founding members. As shown in Figure
5.3.2, this is a form of FIM that operates effectively in closed environments. However, the approach appears
to have restricted flexibility when looking at break-up requirements or the addition of new members.
M
u
l
t
i
-
p
a
rty C
o
n
t
r
a
c
t
Figure 5.3.2: Founder approach Source: Liberty Alliance (Kantara)
Single founder approach – centralized model
As shown in Figure 5.3.3, a single founder sets the rules of engagement for membership to the group
that it controls. From its position of strength, the owner agrees new federated relationships with other
group members on the terms that it controls and chooses to make available.
Organizations also profit when consumers are able to reap the
benefits of a federated SSO culture
FIM is not restrictive. Its use is not constrained to B2B interactions.
Business-to-consumer (B2C) relationships, where the consumer is a
customer or citizen, can provide substantial benefits if common user
credentials that are acceptable to one public or private sector domain can
also be accepted by one or more partner organization.
In whatever environment it is used, a federated identity represents a single
resource that can be used to access multiple applications or websites that
are grouped together by the ties of federation. As is the case in business,
without FIM, users are required to manage different credentials for every
application or website they use.
Consumers are further disadvantaged
In our private lives, multiple passwords and access codes are just as difficult to maintain as they are in
B2B relationships. In fact, due to irregular use and fragmented relationships between user and service
provider, the lack of control is more likely to lead to identities being compromised and to identity theft.
FIM builds on a trust relationship between organizations and their users. Federated identity makes it
possible for consumers to use this same trust relationship to access information with other related
organizations without needing new credentials.
This is an area of identity federation that is currently being discussed by commercial organizations and
governments, with both the public and private sector recognizing the potential value that could be
gained.
IDENTITY AND ACCESS MANAGEMENT 2011/12
66
Founder
Figure 5.3.3: Single founder
approach Source: Liberty Alliance (Kantara)
In whatever
environment it is
used, a federated
identity represents
a single resource
that can be used to
access multiple
applications...
For private users, making federation work as securely as possible is extremely important. In this
context, trust remains a key issue. Standards organizations and commercial suppliers have developed
architectures and tools to encourage federated identity, but as yet, they
have failed to adequately address the trust issues.
Microsoft’s .NET Passport was an early example of a supposedly trusted
source that would provide the ability to work with both a common and
secure set of user credentials, and open standards developed by the
Liberty Alliance were also prominent at the time. Perhaps because of their
proprietary nature, or more likely because of a lack of trust, these early
approaches failed.
OpenID is addressing some of the early adopter issues for public and
private identity usage
The OpenID initiative remains the current usage contender. It is a decentralized SSO authentication
system for the Internet and its objective is to enable users to log on to websites using a single secure
identity. To achieve this, users must initially register with a website that supports OpenID. For example,
AOL users can make use of their existing identities, because AOL already supports OpenID. There are
over a quarter of a billion OpenIDs in existence, and well over 10,000 websites that accept them.
OpenID is at the early adopter stage, but as usage matures, it is likely to become more commercially
attractive as a trusted identity provider service. Important operational and security issues that need to
be resolved include domain name server (DNS) spoofing weaknesses. The adoption of closer SAML
links would be advantageous.
5.4 Making better use of standards is the way
forward
Standards organizations are developing architectures and tools to
encourage federated identity
The successful delivery of federated identity across the shared domains of business partners relies on SSO
that can be used with different infrastructures and a common and acceptably secure authentication
approach. A common approach is required because it has to be acceptable to all parties that allow access
to their systems and secure enough to satisfy each organization’s risk profile and compliance requirements.
Because of its consistent approach, SSO is the key enabling technology for
the delivery of FIM and is the point at which the development of federated
identity standards begins.
If organizations wish to access the information systems of their business
partners or share the content of their own information systems with
authorized parties, there is a compelling argument to have in place
standards that will allow singly sourced user access across all domains.
Furthermore, the requirement should be capable of evolving beyond
individual project collaborations. It should take in the requirement for a
standards-based approach to SSO that can be accepted by all
organizations that choose to participate. Hence, the various circle of trust
approaches that have already been discussed.
The demand for a consistent set of standards that will allow organizations to participate in federated
relationships with business partners has existed for several years. Some progress has been made,
albeit initially vendor-driven and grouped around existing alliances between interested identity
management and web access security groups such as OASIS, Liberty, and WS-I.
CHAPTER 5: FEDERATED IDENTITY
67
The demand for a
consistent set of
standards that will
allow organizations
to participate in
federated
relationships with
business partners
has existed for
several years.
For private users,
making federation
work as securely as
possible is
extremely
important.
OASIS and Liberty provided the lead in developing standards for
federated identity
SAML is the driving force
SAML is the mature XML-based standard, defined by OASIS. It is now in its third major release (v2.0)
and is used to support the management and use of identities that need to be portable across
organizational boundaries and to separate websites. Its use is designed to
support secure B2B and B2C transactions.
Trusted assertions are a key concept in SAML. They represent a claim that
is made when an identity wants to access something such as a website or
application, and undertake a task. Importantly, at the point of access,
assertions can be challenged and within the common rules of a federated relationship, found to be
acceptable or not.
To achieve these objectives, SAML specifies three components: assertion,
protocol, and binding. Within these components there are three assertion
subsets: authentication, attribute, and authorization. Authentication
assertion validates the user’s identity, attribute assertion contains specific
information about the user, and authorization assertion identifies what the
user is authorized to do. Hence, the direct associations with federated
identity, where protocols define how SAML asks for and receives assertions
and binding controls how SAML message interactions are mapped to
Simple Object Access Protocol (SOAP) exchanges.
One of the core strengths of SAML is its ability to interoperate with multiple communications protocols,
including hypertext transfer protocol (HTTP), simple mail transfer protocol (SMTP), file transfer protocol
(FTP) and also support the key operational protocols such as SOAP, BizTalk, and electronic business
XML (ebXML).
Liberty adds solidarity and consistency
Not always as swiftly as business organizations would have liked, but solidly and consistently, the
Liberty Alliance has worked to improve the way that identity management has developed. Its strategic
approach has allowed the Liberty Alliance to focus attention on current and emerging issues in identity.
The special interest structure of the organization has enabled the development of expert groups that
focus on specific areas, producing output for public consumption including technical specifications,
white papers and policy guidelines.
The areas covered by Liberty special interest groups include vertical and horizontal identity
management issues such as healthcare identity management, e-government, identity assurance,
identity theft, and federated identity.
Liberty was formed by a consortium of mainstream technology vendors and end-user organizations.
The early work undertaken by its special interest group for FIM focused on its associations with OASIS
and on defining, improving, and extending its own standards and how these would work with SAML.
Now operating under the Kantara umbrella (from mid-2009, Liberty transitioned its responsibilities to the
Kantara Initiative), the ongoing requirement is to tighten its SAML definitions and add value by
incorporating specific web services security standards that are supported by major players, including
IBM and Microsoft.
Through the achievements of various Liberty Alliance special interest groups, frameworks that address
federation, identity assurance, identity governance and identity web services have been developed and
released. Conflicting issues remain and still need to be addressed, but for a period of almost a decade,
Liberty took overall responsibility for developing usable standards for FIM.
IDENTITY AND ACCESS MANAGEMENT 2011/12
68
Trusted assertions
are a key concept in
SAML.
One of the core
strengths of SAML is
its ability to
interoperate with
multiple
communications
protocols...
Liberty promoted ID-FF, ID-WSF, ID-WSF DST and ID-SIS
FIM was an early driver behind the formation of the Liberty Alliance in 2001. Its approach to the
development of standards recognizes the importance of collaboration,
trust, and agreement within B2B relationships and the need for common
identity convergence. One of the FIM group’s last acts before the handover
from Liberty to Kantara was to submit the final version of specifications for
identity federation framework (ID-FF) 1.2, to OASIS for inclusion in SAML
2.0.
The latest ID-FF specification contains the core requirements that allow for
the creation of a standardized, multi-vendor identity federation network.
The group also confirmed support for SAML 2.0 in its identity web services
framework (ID-WSF) standards, thereby completing the solution cycle for
web services down to deployment level.
The importance of the FIM standards work that Liberty has undertaken
since its inception cannot be overstated, and can be better understood by detailing the respective roles
of its core initiatives:
ID-FF
The Identity federation framework supports the sharing of an entity’s identity between domains to
facilitate SSO between consenting parties in a federated relationship. It
specifies the requirements for using a common authentication approach
across multiple sites within an organization, and can also be used to extend
collaborative relationships across third-party domains using open
standards.
A federated network identity can be defined as the combination of different
identities: passwords, software and hardware tokens, and other attributes
known to all the organizations that are part of
an agreement to provide collaborative
services. Liberty’s ID-FF architecture
describes a schema that is intended to provide
each identity holder with common and
consistent control, better privacy, and fewer
requests for the reconfirmation of their
credentials.
ID-WSF
The identity web services framework provides a set of specifications that
support and promote the use of secure web services. ID-WSF was
developed as part of Liberty’s phase two specifications which added to the earlier ID-FF release. As has
already been identified, ID-FF focuses on federating the user’s authentication and SSO, whereas ID-
WSF defines specifications for web services in a federated environment.
Among the key issues addressed by ID-WSF specifications is that of maintaining a federated
environment for establishing trust between all participating entities without the need to reveal a
participating user’s identity. The diagram in Figure 5.4.1, provided by the Liberty Alliance, illustrates the
relationship between entities in such an environment and adds a practical structure to the conceptual
circle of trust diagrams shown earlier in the paper.
Important drivers within ID-FF and ID-WSF include separate roles for service providers and identity
providers. Although not necessarily different entities, in their role of identity provider, these
organizations can perform the initial authentication and vouch for the customer to the service provider.
To make this approach work, other service providers would then need to trust the identity provider.
CHAPTER 5: FEDERATED IDENTITY
69
The Identity
federation
framework supports
the sharing of an
entity’s identity
between domains to
facilitate SSO
between consenting
parties in a
federated
relationship.
The latest ID-FF
specification
contains the core
requirements that
allow for the
creation of a
standardized, multi-
vendor identity
federation network.
The identity web
services framework
provides a set of
specifications that
support and
promote the use of
secure web
services.
ID-WSF DST
The identity web services framework, data services template (ID-WSF-DST) framework specifies the
data layer that can be extended by any instance of a data service.
An example of a data service could be an online corporate directory. When a user needs to contact a
colleague, they can conduct a search based on the individual’s name and other known elements of their
corporate identity. The data service returns information associated with that individual.
Information provided could include office location, contact number, job title, and department. ID-WSF-
DST provides the data model and required message interfaces. Figure 5.4.2 illustrates how the Liberty
access manager uses the ID-WSF-DST framework for data services.
The web services framework in access manager uses the Liberty ID-WSF-DST to develop data
services. Within the framework, Liberty access manager, personal profile service (PPS) and Liberty
employee profile service (EPS) were developed on top of the web services framework, and allow
additional data services to be developed by end-user organizations.
IDENTITY AND ACCESS MANAGEMENT 2011/12
70
Circle of trust
Principal
Service provider
Identity provider
Identity-based
web service provider
Customer
Employee
Game user
...
Web content
Games
Merchant site
...
Authentication
Federation
Discovery service
Personal profile
...
Geolocation
Payment
...
Figure 5.4.1: Relationships within a
circle of trust Source: Liberty Alliance (Kantara)
ID-SIS
The Liberty identity service interface specification (ID-SIS) operates with ID-WSF and ID-FF to provide
networked identity services, such as contacts, presence detection, and directory services, that depend
on the consistent use of a network identity.
The SIS component contains two relevant specifications. Firstly, ID-SIS personal profile (ID-SIS PP),
which is a web-service-based offering. It provides user profile information such as name, identity, and
contact information. It can also contain contact numbers, email details and other information such as
employment and public key details. The second component, ID-SIS employee profile (ID-SIS EP), is a
web service that provides basic employee profile information using the same structure as the ID-SIS
PP approach.
CHAPTER 5: FEDERATED IDENTITY
71
Liberty ID-SIS data services
Liberty web services framework
Liberty
personal profile
service
Discovery
service
SOAP
binding
Liberty
personal profile
service
Liberty ID-WSF data services template specification
Liberty
personal profile
service
Figure 5.4.2: Liberty identity web services,
data services template framework Source: Liberty Alliance (Kantara)
The role of the Liberty Alliance has transitioned to Kantara and OASIS,
and other interest groups are co-operating
The future of federated identity standards is transitioning from being under the control of a number of
disconnected groups that for many years had gone their own way. Some progress is being made toward
a position where these groups are working together to collaborate on common areas of interest.
OASIS with SAML, and Kantara (formerly the Liberty Alliance) with its federated identity interest group
work, are becoming increasingly integrated in their approaches. Of late, there has also been a closing
of the gap between the WS-Federation and the rest. However, nervousness remains that future
developments may not continue in the same direction and there will remain a need for the suppliers of
IAM- and FIM-based technology solutions to continue to incorporate the contributions from all major
standards authorities.
5.5 Recommendations
Recommendations for enterprises
The use of good-quality FIM technology allows business organizations to run lean and efficient supply
systems.
Organizations continue to look for innovative and effective ways to deliver their services. The
automation of operational systems and the ability to collaborate and share information using FIM is one
way of achieving these objectives.
FIM technology can be used to create local as well as global interoperability between online businesses
and trading partners using agreed identity management approaches.
Recommendations for vendors
Competing vendors and end-user organizations have taken too long to agree on unifying IAM and FIM
standards. Better and more effective answers are still needed.
Vendors continue to give the deployment of federated identity solutions a high priority, but must address
the fundamental cost and complexity issues that are slowing down take-up.
To address business resistance to FIM, vendors need to work towards developing federation
technology that can sit alongside their existing identity management SSO and provisioning deployments
as an easier-to-use and simpler-to-deploy package.
IDENTITY AND ACCESS MANAGEMENT 2011/12
72
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 6:
Technology comparison
Butler Group
Incorporating
OVUM
6.1 Summary
Catalyst
To provide a comprehensive analysis of the competitive landscape in the identity and access
management (IAM) market, Ovum has developed its IAM Decision Matrix. This report explores
the competitive dynamics within the IAM market and helps businesses select a vendor based on
technology strength, impact in the market, and reputation among customers. Ovum provides a
complete view of vendor capabilities and advises on those you should explore, consider, and
shortlist.
Ovum view
The core elements of the IAM market are considered to be mature. However, vendor investment and
innovation carries on as the leading vendors continue to acquire additional technology and extend the
scope of the market. Several software conglomerates dominate the IAM sector and over the last three
years, the number of specialists has declined. However, a number of smaller best-of-breed players
remain to serve specific niches areas, such as strong authentication, provisioning services, and
privileged user controls. Ovum believes that there is the potential for some of these specialist vendors
to compete and grow their market share.
Key messages
The following trends summarize the competitive dynamics of the IAM market:
CA, IBM, Novell and Oracle provide the most extensive technology solutions,
and as such, dominate the sector.
Competition between the leading players is strong, especially in highly
regulated verticals such as financial services, healthcare, and government.
Although vendors prefer to talk about large-scale, enterprise-wide
deployments, the majority of IAM implementations remain at a strategic level.
Microsoft has achieved good penetration in the small to medium enterprise
markets.
RSA remains the dominant player in enterprise authentication.
Entrust, Evidian, and Hitachi represent the smaller IAM vendors, but should be
seriously considered because of the impressive nature of their respective IAM
suites.
BMC does not have a technology audit in this report because its IAM strategy
has changed. It now markets its IAM product as a component of its Business
Service Management (BSM) offering.
CHAPTER 6: TECHNOLOGY COMPARISON
75
6.2 IAM Features Matrix
Features Matrix methodology
Through a combination of one-to-one interviews, product evaluation, and deep background research,
Ovum analysts have compiled a comparative product analysis and comprehensive features matrix
across nine major IAM categories:

Authentication technology covers specific areas such as the provision of strong authentication,
biometrics, token-based solutions, smartcard authentication, support for mobile devices, and the
ability to support physical and logical authentication using a single approach.

Enterprise and web single sign-on (SSO) breaks down into SSO capabilities to cover the key areas
of enterprise SSO and web SSO.

User provisioning and role management deals with the requirements to set up, maintain, and
ultimately remove services from individuals and user groups, and also covers the need for role-
based management services.

Password management takes into account core identity management services that cover areas such
as password frequency change controls, content controls, structure controls, and the automatic
generation of system controlled passwords.

Access control covers key IAM capabilities such as centrally controlled access management, policy-
and rules-driven controls, administrator rights, and the ability to reduce and control specific
administrator capabilities, including the segregation of duties.

Federated identity management (FIM) deals with the control of inter-company and third-party
relationships covering issues such as support for members of a federated circle of trust, contact
relationships with partners, and the provision of support for local policy controls as users move
across third-party facilities.

Administration and policy management covers both central and locally controlled and delegated
administration responsibilities.

Infrastructure supported covers a wide variety of areas, including directories, operating systems,
application platforms, web servers, and communications protocols.

Standards and authorities. A wide range of appropriate authorities and standards such as Kantara
(formerly the Liberty Alliance), Security Assertion Markup Language (SAML) and a whole host of
others are compared.
IDENTITY AND ACCESS MANAGEMENT 2011/12
76
Features Matrix
CHAPTER 6: TECHNOLOGY COMPARISON
77
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
AUTHENTICATION TECHNOLOGY
Authentication
capabilities
supported:
Two-factor
authentication
O Y Y Y Y
Token-based
authentication
A Y Y A Y
Smartcard
authentication
A O Y A A
Mobile and smartphone
based device
authentication
A Y O Y A
Physical and Logical
authentication from a
single approach or
device
A A Y Y A
Use of variable
authentication levels
depending on the
actions that the user
wishes to perform
Y Y Y Y Y
Authentication types
and secure access
channels owned and
delivered as part of
the core IAM
solution:
Fixed Passwords Y Y Y Y Y
One-time generated
Passwords
Y Y Y Y Y
Smartcard
authentication
Y Y Y Y A
Biometrics Y A Y Y A
Mutual Grid
Authentication (serial
number and location
reply)
Y Y N N Y
Mutual Site Validation
(site validates unique
response back to user)
Y Y N N Y
TAN and paper-based
Transaction
Authentication
Y Y N Y Y
Machine Authentication
(user pre-registered
machines)
Y Y N N Y
Scratch Cards Y Y N Y Y
Certificates X.509 Y Y Y Y Y
GrIDsure
authentication
N N N N Y
Knowledge-based
Authentication
(previously registered
responses)
Y Y Y Y Y
Other important
authentication forms
supported: Risk-based
Y Y Y Y 0
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
IDENTITY AND ACCESS MANAGEMENT 2011/12
78
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
AUTHENTICATION TECHNOLOGY
Authentication
capabilities
supported:
Two-factor
authentication
Y Y Y Y
Token-based
authentication
Y Y A Y
Smartcard
authentication
Y Y A Y
Mobile and smartphone
based device
authentication
A Y A Y
Physical and Logical
authentication from a
single approach or
device
A Y A N
Use of variable
authentication levels
depending on the
actions that the user
wishes to perform
Y Y Y Y
Authentication types
and secure access
channels owned and
delivered as part of
the core IAM
solution:
Fixed Passwords Y Y Y Y
One-time generated
Passwords
Y Y Y Y
Smartcard
authentication
Y Y A Y
Biometrics O Y A A
Mutual Grid
Authentication (serial
number and location
reply)
N Y N Y
Mutual Site Validation
(site validates unique
response back to user)
N Y Y Y
TAN and paper-based
Transaction
Authentication
N Y N N
Machine Authentication
(user pre-registered
machines)
Y Y Y Y
Scratch Cards A Y A N
Certificates X.509 Y Y Y Y
GrIDsure
authentication
A N N N
Knowledge-based
Authentication
(previously registered
responses)
Y Y Y Y
Other important
authentication forms
supported: Risk-based
O N Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
79
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
ENTERPRISE AND WEB SINGLE SIGN-ON (SSO)
FOR ENTERPRISE SSO USAGE
Provide Support for: Centrally managed
SSO services
Y A Y Y Y
Distributed and locally
delegated SSO
services
Y A Y Y Y
Desktop and laptop
SSO access
Y A Y Y Y
Employee access Y A Y Y Y
Fixed term access with
automated de-
provisioning (e.g.
contractor access)
Y A Y Y Y
Customer access Y A Y N Y
Partner organization
access
Y A N N Y
Provide Facilities
across:
Trusted internal
networks
Y A Y Y Y
Trusted external
enterprise networks
Y A Y Y Y
Trusted partner
networks
Y A Y Y Y
Authorised B2B
networks
Y A Y Y Y
Support for application
level SSO
N A N Y Y
Support for mobile
sessions across
different workstations
(e.g. healthcare
workers)
N A N N Y
Security facilities
available:
Provision of Encrypted
Directory Protection
Y A Y N Y
Secure login services –
use of secure login
scripts
Y A Y Y Y
Minimum SSO
standards – use of two-
factor Authentication
Y A Y N Y
Logoff warning settings Y A Y N Y
individual user or group
time settings
Y A Y N Y
Automated terminal
locks based on the use
of proximity cards
Y A N N Y
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
IDENTITY AND ACCESS MANAGEMENT 2011/12
80
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
ENTERPRISE AND WEB SINGLE SIGN-ON (SSO)
FOR ENTERPRISE SSO USAGE
Provide Support for: Centrally managed
SSO services
Y Y Y N
Distributed and locally
delegated SSO
services
Y Y Y N
Desktop and laptop
SSO access
Y Y O N
Employee access Y Y Y N
Fixed term access with
automated de-
provisioning (e.g.
contractor access)
Y Y Y N
Customer access Y Y Y N
Partner organization
access
Y Y Y N
Provide Facilities
across:
Trusted internal
networks
Y Y Y N
Trusted external
enterprise networks
Y Y Y N
Trusted partner
networks
Y Y Y N
Authorised B2B
networks
Y Y Y N
Support for application
level SSO
Y Y Y N
Support for mobile
sessions across
different workstations
(e.g. healthcare
workers)
Y Y O N
Security facilities
available:
Provision of Encrypted
Directory Protection
Y Y Y N
Secure login services –
use of secure login
scripts
Y Y Y N
Minimum SSO
standards – use of two-
factor Authentication
Y Y Y N
Logoff warning settings Y Y Y N
individual user or group
time settings
Y Y Y N
Automated terminal
locks based on the use
of proximity cards
A N N N
CHAPTER 6: TECHNOLOGY COMPARISON
81
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued)
FOR WEB SSO USAGE
Provide Support for: Web-based employee
access
Y Y Y A Y
Business partner
access
Y Y Y A Y
Known customer/client
access
Y Y Y A Y
Unknown customer
access
Y N Y A Y
Centrally managed
SSO services
Y Y Y A Y
Distributed and locally
controlled SSO services
Y Y Y A Y
SAML Y Y Y A Y
WS Federation Y N A A Y
Provides extended
Support for:
Software as a Service
(SaaS) environments
Y Y Y A Y
Outsourced services Y Y Y A Y
Out-of-the-box
Integration with other
third-party Access
Management systems
N Y Y A Y
Two factor
authentication
Y Y Y A Y
Tokens that carry user
identity information
Y Y Y A Y
Working within Web
services environments
Y Y Y A Y
Security facilities
available:
Secure login services –
use of secure login
scripts
Y Y Y A Y
Logoff warning settings Y Y Y A Y
The creation and use
of security certificates
Y Y Y A Y
Operate as a WS-Trust
Security Token Service
N N A A Y
Allow the importation
and creation of
user/partner security
certificates
Y Y Y A Y
Accept and support
automatic notifications
when user/partner
security certificates are
about to expire
Y Y A A Y
Controlling user access
to web services
through the corporate
SSO infrastructure
Y Y A A Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
82
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
ENTERPRISE AND WEB SINGLE SIGN-ON (SSO) (continued)
FOR WEB SSO USAGE
Provide Support for: Web-based employee
access
Y Y Y Y
Business partner
access
Y Y Y Y
Known customer/client
access
Y Y Y Y
Unknown customer
access
Y Y Y Y
Centrally managed
SSO services
Y Y Y Y
Distributed and locally
controlled SSO services
Y Y Y Y
SAML Y Y Y Y
WS Federation Y Y Y Y
Provides extended
Support for:
Software as a Service
(SaaS) environments
Y A Y Y
Outsourced services Y Y Y Y
Out-of-the-box
Integration with other
third-party Access
Management systems
Y N Y Y
Two factor
authentication
Y Y Y Y
Tokens that carry user
identity information
Y N Y Y
Working within Web
services environments
Y Y Y Y
Security facilities
available:
Secure login services –
use of secure login
scripts
Y Y Y Y
Logoff warning settings Y Y Y Y
The creation and use
of security certificates
Y Y Y Y
Operate as a WS-Trust
Security Token Service
Y Y Y Y
Allow the importation
and creation of
user/partner security
certificates
Y Y Y Y
Accept and support
automatic notifications
when user/partner
security certificates are
about to expire
Y Y Y Y
Controlling user access
to web services
through the corporate
SSO infrastructure
Y Y Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
83
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
USER PROVISIONING
Provisioning facilities
provided:
Provisioning Rules
Engine
Y Y Y Y Y
Centrally managed,
administrator controlled
provisioning and de-
provisioning services
Y Y Y Y Y
Delegated and locally
managed provisioning
services
Y Y Y Y Y
Permission-based, self-
service provisioning
facilities
Y Y Y Y Y
Organization defined
provisioning workflows
Y Y Y Y Y
Provisioning
Services:
Setup and
management of master
and associated
directories
Y A Y Y Y
Automated set up of
users based on
predefined job, role,
work group templates
Y A Y Y Y
Role-based user
access rights
Y Y Y Y Y
Rule-based user
access rights
Y Y Y Y Y
Unique individual
access rights
Y Y Y Y Y
Provisioning based on
previously available
access rights
N Y N Y Y
Group and
departmental user
provisioning
Y A Y Y Y
Third party user access
accounts
Y A Y Y Y
Resolution of access
rights between people
with the same user id
Y A Y Y Y
Automatic links to HR
information for records
update
Y A Y Y Y
Automated links to the
creation of user
mailboxes
Y A Y Y Y
Merger of access rights
from different identity
management systems
(e.g. following
acquisitions)
Y A Y Y A
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
IDENTITY AND ACCESS MANAGEMENT 2011/12
84
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
USER PROVISIONING
Provisioning facilities
provided:
Provisioning Rules
Engine
Y Y Y A
Centrally managed,
administrator controlled
provisioning and de-
provisioning services
Y Y Y A
Delegated and locally
managed provisioning
services
Y Y Y A
Permission-based, self-
service provisioning
facilities
Y Y Y A
Organization defined
provisioning workflows
Y Y Y A
Provisioning
Services:
Setup and
management of master
and associated
directories
Y Y Y A
Automated set up of
users based on
predefined job, role,
work group templates
Y Y Y A
Role-based user
access rights
Y Y Y A
Rule-based user
access rights
Y Y Y A
Unique individual
access rights
Y Y Y A
Provisioning based on
previously available
access rights
Y Y Y A
Group and
departmental user
provisioning
Y Y Y A
Third party user access
accounts
Y Y Y A
Resolution of access
rights between people
with the same user id
Y Y Y A
Automatic links to HR
information for records
update
Y Y Y A
Automated links to the
creation of user
mailboxes
Y Y Y A
Merger of access rights
from different identity
management systems
(e.g. following
acquisitions)
Y Y Y A
CHAPTER 6: TECHNOLOGY COMPARISON
85
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
USER PROVISIONING (continued)
Provisioning facilities
provided (continued):
Automated workflow for
authorising and
processing user
resource access
requests
Y A Y Y Y
Incorporate the control
of access to cloud
services into the
enterprise provisioning
process
Y N A Y A
Ensuring that only
users registered in the
enterprise directory can
use cloud services
Y N N Y Y
De-provisioning
Services:
Managed (policy-
based) de-provisioning
services
Y A Y Y Y
Removal of redundant
master and associated
directories
Y A N Y Y
Removal of redundant
job/role templates
Y A N Y Y
Removal of redundant
departmental access
rights
Y A N Y Y
Removal of selected
individual users and all
associated access links
Y Y Y Y Y
Removal of selected
individual account
rights from a user
Y A Y Y Y
Control over the de-
provisioning of third-
party users
Y A Y Y Y
Rules-based
automated de-
provisioning/account
disablement facilities
Y A Y Y Y
Automated user de-
provisioned due to
expired usage periods
Y A Y Y Y
Automated de-
provisioning of specific
entitlements due to
expired usage periods
Y A Y Y Y
User de-provisioned
using HR leavers list
Y A Y Y Y
De-provisioning of
associated user
mailboxes for leavers
Y A Y Y Y
Automated user de-
provisioned as a
response to suspect
activities
Y A A A Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
86
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
USER PROVISIONING (continued)
Provisioning facilities
provided (continued):
Automated workflow for
authorising and
processing user
resource access
requests
Y Y Y A
Incorporate the control
of access to cloud
services into the
enterprise provisioning
process
Y Y Y A
Ensuring that only
users registered in the
enterprise directory can
use cloud services
Y Y Y A
De-provisioning
Services:
Managed (policy-
based) de-provisioning
services
Y Y Y A
Removal of redundant
master and associated
directories
Y Y Y A
Removal of redundant
job/role templates
Y Y Y A
Removal of redundant
departmental access
rights
Y Y Y A
Removal of selected
individual users and all
associated access links
Y Y Y A
Removal of selected
individual account
rights from a user
Y Y Y A
Control over the de-
provisioning of third-
party users
Y Y Y A
Rules-based
automated de-
provisioning/account
disablement facilities
Y Y Y A
Automated user de-
provisioned due to
expired usage periods
Y Y Y A
Automated de-
provisioning of specific
entitlements due to
expired usage periods
Y Y Y A
User de-provisioned
using HR leavers list
Y Y Y A
De-provisioning of
associated user
mailboxes for leavers
Y Y Y A
Automated user de-
provisioned as a
response to suspect
activities
O Y Y A
CHAPTER 6: TECHNOLOGY COMPARISON
87
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
USER PROVISIONING (continued)
De-provisioning
Services (continued):
Automated update links
to company archiving
facilities
N A Y Y Y
Automated de-
provisioning from SaaS,
PaaS, and IaaS services
Y A Y Y A
Incorporate the
removal of access to
cloud services into the
enterprise de-
provisioning process
Y N A Y Y
Reporting and
Alerting Facilities:
Reporting (alerts,
e-mails, or reports)
when new user access
rights are created
Y Y Y Y Y
Reporting when user/
account changes occur
Y Y Y Y Y
Reporting when de-
provisioning activity
takes place
Y Y Y Y Y
Generation of full audit
trail reporting
maintained to support
change management
Y Y Y Y Y
Provision of customized
reporting facilities
Y Y Y A Y
Provision of: Systems activity
reports
Y Y Y Y Y
Dormant account
reports
Y A Y Y Y
Failed access reports Y Y Y Y Y
Policy-based reporting Y A Y Y Y
Policy-based
management reporting
for administrators
Y A Y Y Y
Regular management
reporting
Y A Y Y Y
Policy-based
management alerts
Y A Y Y Y
Workflow Facilities: Is workflow provide as
a core component of
the provisioning
solution
O Y Y Y Y
Can workflow activity
be pre-configured and
automated
Y Y Y Y Y
Does the workflow
system support real-
time owner interactions
Y Y Y Y Y
Can external and third-
party workflow be
imported
Y A Y Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
88
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
USER PROVISIONING (continued)
De-provisioning
Services (continued):
Automated update links
to company archiving
facilities
O Y Y A
Automated de-
provisioning from SaaS,
PaaS, and IaaS services
Y Y Y A
Incorporate the
removal of access to
cloud services into the
enterprise de-
provisioning process
Y Y Y A
Reporting and
Alerting Facilities:
Reporting (alerts,
e-mails, or reports)
when new user access
rights are created
Y Y Y A
Reporting when user/
account changes occur
Y Y Y A
Reporting when de-
provisioning activity
takes place
Y Y Y A
Generation of full audit
trail reporting
maintained to support
change management
O Y Y A
Provision of customized
reporting facilities
Y Y Y A
Provision of: Systems activity
reports
O Y Y Y
Dormant account
reports
O Y Y A
Failed access reports O Y Y Y
Policy-based reporting O Y Y Y
Policy-based
management reporting
for administrators
O Y Y Y
Regular management
reporting
O Y Y Y
Policy-based
management alerts
Y Y Y Y
Workflow Facilities: Is workflow provide as
a core component of
the provisioning
solution
Y Y Y A
Can workflow activity
be pre-configured and
automated
Y Y Y A
Does the workflow
system support real-
time owner interactions
Y Y Y A
Can external and third-
party workflow be
imported
Y Y Y A
CHAPTER 6: TECHNOLOGY COMPARISON
89
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
PASSWORD MANAGEMENT
Password
Management:
Provision of password
frequency change
controls
Y Y Y Y Y
Provision of password
structure controls
Y Y Y Y Y
Automatic generation
of system controlled
passwords
Y Y Y Y Y
Provision of frequency
change controls for
user security questions
Y Y Y Y Y
Control over password
reuse
Y Y Y Y Y
Control over password
reset policy
Y Y Y Y Y
Provision of password
encryption facilities
Y Y Y Y Y
Special management
facilities to control and
identify privileged users
Y N N Y Y
Self-service
Capabilities
Supported:
Generation of new user
and associated
passwords
Y Y Y Y Y
Set up of passwords
for additional systems
resources
Y Y Y Y Y
The reset of lost and
forgotten passwords
Y Y Y Y Y
Generation of rules-
based random
passwords
Y Y Y Y Y
Scheduled password
changes
Y Y Y Y Y
Unscheduled password
changes
Y Y Y Y Y
Test password/
confirmation facility
prior to change
Y Y Y Y Y
Modification of user
security questions
Y Y Y Y Y
Locking and unlocking
of user accounts
Y Y Y Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
90
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
PASSWORD MANAGEMENT
Password
Management:
Provision of password
frequency change
controls
Y Y Y Y
Provision of password
structure controls
Y Y Y Y
Automatic generation
of system controlled
passwords
Y Y Y Y
Provision of frequency
change controls for
user security questions
Y Y Y Y
Control over password
reuse
Y Y Y Y
Control over password
reset policy
Y Y Y Y
Provision of password
encryption facilities
Y Y Y Y
Special management
facilities to control and
identify privileged users
Y N Y N
Self-service
Capabilities
Supported:
Generation of new user
and associated
passwords
Y Y Y Y
Set up of passwords
for additional systems
resources
Y Y Y Y
The reset of lost and
forgotten passwords
Y Y Y Y
Generation of rules-
based random
passwords
Y Y Y Y
Scheduled password
changes
Y Y Y Y
Unscheduled password
changes
Y Y Y Y
Test password/
confirmation facility
prior to change
O Y Y Y
Modification of user
security questions
Y Y Y Y
Locking and unlocking
of user accounts
Y Y Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
91
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
PASSWORD MANAGEMENT (continued)
Security Features: Alerts/confirmations
sent when passwords
change
Y Y Y Y Y
Alerts sent when
maximum failed access
attempts exceeded
Y Y Y Y Y
Alerts sent when
access timeouts
exceeded
Y Y N Y Y
Alerts sent to user prior
to password expiry
Y Y Y Y Y
Automatic Alerts for
administrators on
dormant accounts
Y Y N Y Y
Report information
generated when
password details
change
Y Y Y Y Y
Report information
generated when
password anomalies
occur
Y Y Y Y Y
Audit trail information
generated when
password details
change
Y Y Y Y Y
Full Audit trail
information generated
on all password actions
Y Y Y Y Y
Automatic lock out
when access rules are
breached
Y Y Y Y Y
Hardened HSM black
box protection
Y Y Y A N
Workflow:
Can workflow be used to
provide across system
synchronisation when
passwords change
Y Y Y Y Y
Is workflow a core
component of the
password management
solution
Y Y Y Y Y
Can workflow activity
be pre-configured and
automated
Y Y Y Y Y
Does the workflow
system support real-
time owner interactions
Y Y Y Y Y
Is external and third-
party workflow
supported
Y Y Y Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
92
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
PASSWORD MANAGEMENT (continued)
Security Features: Alerts/confirmations
sent when passwords
change
Y Y Y Y
Alerts sent when
maximum failed access
attempts exceeded
Y Y Y Y
Alerts sent when
access timeouts
exceeded
Y Y Y Y
Alerts sent to user prior
to password expiry
Y Y Y Y
Automatic Alerts for
administrators on
dormant accounts
Y Y Y Y
Report information
generated when
password details
change
Y Y Y Y
Report information
generated when
password anomalies
occur
Y Y Y Y
Audit trail information
generated when
password details
change
Y Y Y Y
Full Audit trail
information generated
on all password actions
Y Y Y Y
Automatic lock out
when access rules are
breached
Y Y Y Y
Hardened HSM black
box protection
Y N Y Y
Workflow:
Can workflow be used to
provide across system
synchronisation when
passwords change
Y Y Y A
Is workflow a core
component of the
password management
solution
Y Y Y A
Can workflow activity
be pre-configured and
automated
Y Y Y A
Does the workflow
system support real-
time owner interactions
Y Y Y A
Is external and third-
party workflow
supported
Y Y Y A
CHAPTER 6: TECHNOLOGY COMPARISON
93
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
PASSWORD MANAGEMENT (continued)
Workflow
(continued):
Can workflow provide
across enterprise
automated password
update capabilities
Y Y Y Y Y
Can workflow be used
to deliver across
enterprise systems
pass-through
capabilities
Y Y Y Y Y
ACCESS CONTROL
Do the Range of
Access Control
facilities supported
include:
Server-based access
controls
Y Y Y Y Y
Centrally controlled
Access Management –
central console
management
Y Y Y Y Y
Policy-driven user
access controls
Y Y Y Y Y
Blocking of anonymous
privileged user access
Y N N Y Y
Audit and reporting of
privileged user actions
Y N Y Y Y
Controls to reduce
specific administrator
rights
Y Y Y Y Y
The ability to enforce
segregation of
administrator duties
Y Y Y Y Y
Controls to delegate
limited administrator
rights down to local
administrators
Y Y Y A Y
Controls to regulate
systems and database
manager access
privileges
Y N A Y Y
Identity-based access
to web services
Y Y Y A Y
Legacy application
access
Y Y Y Y Y
Control over web
browser access
Y Y Y A Y
Control over web
browser access
Y Y Y A Y
Control over portal
access
Y Y Y A Y
Status controls over
end-user devices (AV
patch management
status, etc.)
N N N A N
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
IDENTITY AND ACCESS MANAGEMENT 2011/12
94
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
PASSWORD MANAGEMENT (continued)
Workflow
(continued):
Can workflow provide
across enterprise
automated password
update capabilities
Y Y Y A
Can workflow be used
to deliver across
enterprise systems
pass-through
capabilities
Y Y Y A
ACCESS CONTROL
Do the Range of
Access Control
facilities supported
include:
Server-based access
controls
Y Y Y Y
Centrally controlled
Access Management –
central console
management
Y Y Y Y
Policy-driven user
access controls
Y Y Y Y
Blocking of anonymous
privileged user access
O N A Y
Audit and reporting of
privileged user actions
Y N Y N
Controls to reduce
specific administrator
rights
Y Y Y Y
The ability to enforce
segregation of
administrator duties
Y Y Y Y
Controls to delegate
limited administrator
rights down to local
administrators
Y Y Y Y
Controls to regulate
systems and database
manager access
privileges
Y Y Y N
Identity-based access
to web services
Y Y Y Y
Legacy application
access
Y Y Y Y
Control over web
browser access
Y Y Y Y
Control over web
browser access
Y Y Y Y
Control over portal
access
Y Y Y Y
Status controls over
end-user devices (AV
patch management
status, etc.)
Y Y N N
CHAPTER 6: TECHNOLOGY COMPARISON
95
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
ACCESS CONTROL (continued)
Do the Range of
Access Control
facilities supported
include (continued):
Fully federated access
control capabilities for
external users
Y Y Y A Y
Combined physical and
logical access control
N N Y Y Y
Access controls to
virtual machines and
stored VM images
Y N N Y Y
Supports IBM RACF
(Resource Access
Control Facility)
Y Y Y Y Y
Supports CA-ACF2
(eTrust)
Y N N Y Y
Supports CA TopSecret Y N N Y Y
Support for Policy-
based Controls Over
Users and Systems:
Individual access
controls at system
login
Y Y Y Y Y
Regulated access
controls for systems
resources – systems,
processes, and
programs
Y Y Y Y Y
Time-based access
controls
Y Y Y Y Y
User location based
access controls
Y Y Y Y Y
Control over local
policies for access
control lists
Y Y Y A Y
Control over local
policies for user
accounts
Y Y Y A Y
Control over systems
policies
Y Y Y A Y
Control over web
server policy
N Y Y A Y
Control over
application policy
Y Y Y A Y
Support for a
hierarchical approach
to the distribution of
policy updates
Y Y Y A Y
Support for the
automated distribution
of new and updated
access control policies
Y Y Y A Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
96
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
ACCESS CONTROL (continued)
Do the Range of
Access Control
facilities supported
include (continued):
Fully federated access
control capabilities for
external users
Y Y Y Y
Combined physical and
logical access control
A Y Y N
Access controls to
virtual machines and
stored VM images
Y Y N N
Supports IBM RACF
(Resource Access
Control Facility)
A Y 0 A
Supports CA-ACF2
(eTrust)
A Y 0 N
Supports CA TopSecret A Y 0 N
Support for Policy-
based Controls Over
Users and Systems:
Individual access
controls at system
login
Y Y Y N
Regulated access
controls for systems
resources – systems,
processes, and
programs
Y Y Y N
Time-based access
controls
Y Y Y Y
User location based
access controls
Y Y Y Y
Control over local
policies for access
control lists
Y Y Y N
Control over local
policies for user
accounts
Y Y Y N
Control over systems
policies
Y Y Y N
Control over web
server policy
Y Y Y Y
Control over
application policy
Y Y Y Y
Support for a
hierarchical approach
to the distribution of
policy updates
Y Y Y Y
Support for the
automated distribution
of new and updated
access control policies
Y Y Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
97
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
FEDERATED IDENTITY MANAGEMENT
Federated services
include:
The facilities to support
federated network
identity
Y Y Y A Y
The provision of open
SSO facilities that
support decentralised
authentication
Y Y Y A Y
The provision of open
SSO facilities that
support authorisations
from multiple providers
Y Y N A Y
The provision of SSO
support for members of
a federated Identity
management group
Y Y Y A Y
The provision of SSO
support for members of
a federated circle of
trust
Y Y Y A Y
Support for direct user
contact with a third-
party services provider
that can then be
passed through to
other third-parties
Y N Y A Y
The provision of
support for local policy
controls as users move
across third-party web
facilities
Y N Y A Y
Service provider
interaction/notification
when federated
relationships change
Y Y A A Y
The provision of
notifications to other
third-parties when user
accounts are
terminated by the
identity provider
Y Y A A Y
The provision of up-to-
date lists of authorised
users to other third-
parties in a federated
relationship
Y Y A A Y
The provision of fully
anonymous or
temporary anonymous
identities
Y Y A A Y
Support for open
navigation between
identity providers (click-
through, favourites,
bookmarks, URL
address bars, etc.)
Y Y Y A Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
98
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
FEDERATED IDENTITY MANAGEMENT
Federated services
include:
The facilities to support
federated network
identity
Y Y Y Y
The provision of open
SSO facilities that
support decentralised
authentication
Y Y Y Y
The provision of open
SSO facilities that
support authorisations
from multiple providers
Y Y Y Y
The provision of SSO
support for members of
a federated Identity
management group
Y Y Y Y
The provision of SSO
support for members of
a federated circle of
trust
N Y Y Y
Support for direct user
contact with a third-
party services provider
that can then be
passed through to
other third-parties
Y Y Y Y
The provision of
support for local policy
controls as users move
across third-party web
facilities
Y Y Y Y
Service provider
interaction/notification
when federated
relationships change
Y Y Y Y
The provision of
notifications to other
third-parties when user
accounts are
terminated by the
identity provider
Y Y Y Y
The provision of up-to-
date lists of authorised
users to other third-
parties in a federated
relationship
Y N Y Y
The provision of fully
anonymous or
temporary anonymous
identities
N Y Y Y
Support for open
navigation between
identity providers (click-
through, favourites,
bookmarks, URL
address bars, etc.)
Y Y Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
99
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
FEDERATED IDENTITY MANAGEMENT (continued)
Federated services
include (continued):
Guarantee the
confidentiality of
information exchanged
between identity
providers
Y Y Y A Y
Facilitating the mutual
authentication of
identities between
service providers
during SSO and
authentication
processes
Y Y Y A Y
Support for set
minimum
authentication
standards between
parties
Y N Y A Y
Support for re-
authentication where
inter-party rules dictate
that the requested
action class requires it
Y N Y A Y
Enable the service
provider to allow user
authentication to come
from a third-party
identification provider
Y Y Y A Y
Support the use of a
single logout protocol
to close all sessions
that are in use by a
particular user
Y Y A A Y
Invoking support for
different levels of
authentication
dependent on actions
requested
Y Y Y A Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
100
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
FEDERATED IDENTITY MANAGEMENT (continued)
Federated services
include (continued):
Guarantee the
confidentiality of
information exchanged
between identity
providers
Y Y Y Y
Facilitating the mutual
authentication of
identities between
service providers
during SSO and
authentication
processes
Y Y Y Y
Support for set
minimum
authentication
standards between
parties
Y Y Y Y
Support for re-
authentication where
inter-party rules dictate
that the requested
action class requires it
Y Y Y Y
Enable the service
provider to allow user
authentication to come
from a third-party
identification provider
Y Y Y Y
Support the use of a
single logout protocol
to close all sessions
that are in use by a
particular user
Y Y Y Y
Invoking support for
different levels of
authentication
dependent on actions
requested
Y Y Y Y
CHAPTER 6: TECHNOLOGY COMPARISON
101
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
ADMINISTRATION AND POLICY MANAGEMENT
Central and Locally
Delegated
Administration
Controls:
Centrally controlled
administration
management
Y Y Y Y Y
Delegated, locally
controlled
administration services
Y Y Y Y Y
Centrally controlled –
master directory
services
Y Y A Y Y
Delegated, locally
controlled – distributed
directory services
Y N A Y Y
Central security
repository
Y Y Y Y Y
Administrator control
over end-user machine
status and location
rules
Y N Y Y Y
Token Management: Control the addition of
new token types
Y Y Y Y Y
Control the revocation
of tokens
Y Y Y Y Y
Authorise the issue
and reuse of tokens
Y Y Y Y Y
Audit Trail and
Reporting Facilities:
Provide user-level audit
and reporting
Y Y Y Y Y
Provide entitlement
level audit and
reporting
Y Y Y Y Y
Provide administrator
level audit and
reporting
Y Y Y Y Y
Provide management
level audit and
reporting
Y Y Y Y Y
Provide administrator
level alerting services
Y Y A Y Y
Provide administrator
level reporting on third-
party and partner
activity
Y N A Y Y
Ability to configure
reporting to fulfil
specific business
needs
Y Y Y Y Y
Report on privileged
user access and usage
Y N A Y Y
Record the use of all
cloud services in
corporate activity logs
Y N A Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
102
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
ADMINISTRATION AND POLICY MANAGEMENT
Central and Locally
Delegated
Administration
Controls:
Centrally controlled
administration
management
Y Y Y Y
Delegated, locally
controlled
administration services
Y Y Y Y
Centrally controlled –
master directory
services
Y Y Y Y
Delegated, locally
controlled – distributed
directory services
Y Y Y Y
Central security
repository
Y Y Y Y
Administrator control
over end-user machine
status and location
rules
Y Y Y Y
Token Management: Control the addition of
new token types
Y Y Y Y
Control the revocation
of tokens
Y Y Y Y
Authorise the issue
and reuse of tokens
Y Y Y Y
Audit Trail and
Reporting Facilities:
Provide user-level audit
and reporting
Y Y Y Y
Provide entitlement
level audit and
reporting
Y Y Y Y
Provide administrator
level audit and
reporting
Y Y Y Y
Provide management
level audit and
reporting
Y Y Y Y
Provide administrator
level alerting services
Y Y Y Y
Provide administrator
level reporting on third-
party and partner
activity
A Y Y Y
Ability to configure
reporting to fulfil
specific business
needs
A Y N Y
Report on privileged
user access and usage
Y N Y N
Record the use of all
cloud services in
corporate activity logs
N Y N Y
CHAPTER 6: TECHNOLOGY COMPARISON
103
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
INFRASTRUCTURE SUPPORTED
Key LDAP directories
supported:
IBM Y N Y Y Y
Microsoft Active
Directory
Y Y Y Y Y
Open LDAP Y N Y Y Y
Novell eDirectory Y Y Y Y Y
Oracle Y Y Y Y Y
Sun Y Y Y Y Y
Other important LDAP
directories supported
Y Y Y N Y
Secure Storage Hardware Secure
Module (HSM)
N A Y N Y
Database Platforms
supported:
IBM DB2 Y N Y Y Y
NCR Teradata Y N N Y N
OpenLink Virtuoso N N N N N
Oracle Y Y Y Y Y
Microsoft SQL Server Y Y Y Y Y
Sybase Y N Y Y N
Other important
database platforms
supported
Y N Y Y Y
Operating Systems
supported:
IBM AIX Y Y Y Y Y
IBM z/OS Y N N Y Y
Sun Solaris Y Y Y Y Y
HP-UX Y Y Y Y Y
HP OpenVMS Y N N Y N
HP Tru64 Y N N Y Y
SuSE Linux Y Y Y Y Y
Red Hat Linux Y Y Y Y Y
Novell Netware and
Open Enterprise
Server
N N Y Y N
Windows Y Y Y Y Y
Other important
operating systems
supported
N N N Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
104
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
INFRASTRUCTURE SUPPORTED
Key LDAP directories
supported:
IBM Y Y Y Y
Microsoft Active
Directory
Y Y Y Y
Open LDAP O Y Y N
Novell eDirectory Y Y Y Y
Oracle Y Y Y Y
Sun Y Y Y Y
Other important LDAP
directories supported
Y N Y N
Secure Storage Hardware Secure
Module (HSM)
Y Y Y Y
Database Platforms
supported:
IBM DB2 Y Y Y N
NCR Teradata N Y Y N
OpenLink Virtuoso N Y Y N
Oracle Y Y Y Y
Microsoft SQL Server Y Y Y Y
Sybase O N Y Y
Other important
database platforms
supported
N N Y N
Operating Systems
supported:
IBM AIX N Y Y Y
IBM z/OS N Y N Y
Sun Solaris N Y Y Y
HP-UX N Y Y Y
HP OpenVMS N Y N Y
HP Tru64 N Y Y N
SuSE Linux N Y Y Y
Red Hat Linux N Y Y Y
Novell Netware and
Open Enterprise
Server
N Y N N
Windows Y Y Y Y
Other important
operating systems
supported
N N Y N
CHAPTER 6: TECHNOLOGY COMPARISON
105
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
INFRASTRUCTURE SUPPORTED (continued)
Fully Integrated
Application Platform
support for:
Oracle Y N Y Y Y
SAP Y N Y Y Y
Siebel Y N N Y Y
Peoplesoft Y N N Y Y
BEA Y Y N Y Y
Lawson Y N N Y Y
Microsoft Y N Y N Y
QAD N N N N N
Other important
application platforms
fully supported
Y Y N Y Y
SaaS services
supported
Y N N Y N
Web Servers
supported:
Microsoft llS Y Y Y Y Y
Sun One Web Server Y Y N Y Y
Lotus Domino Y Y N Y Y
IBM HTTP Server Y Y N Y Y
Oracle HTTP Server Y Y N Y Y
Domino Go Y N Y Y Y
Red Hat Apache Y Y Y Y Y
ASF Apache Y N Y Y Y
Other important web
servers supported
N N N N N
Helpdesk Systems
supported:
BMC Remedy Service
management
Y N N Y Y
Peregrine (HP) Y N N Y N
Epicor ITSM Y N N N N
FrontRange ITSM Y N N Y N
HP Open View Service
Desk
Y N N Y N
CA Unicenter Service
Desk
Y N N Y N
IBM Tivoli Service
Request Manager
Y N N Y Y
Other helpdesk
systems supported
N N N Y N
IDENTITY AND ACCESS MANAGEMENT 2011/12
106
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
INFRASTRUCTURE SUPPORTED (continued)
Fully Integrated
Application Platform
support for:
Oracle Y Y Y Y
SAP Y Y Y Y
Siebel O Y Y Y
Peoplesoft O Y Y Y
BEA O Y Y Y
Lawson O Y Y Y
Microsoft Y Y Y Y
QAD O Y N Y
Other important
application platforms
fully supported
N N Y Y
SaaS services
supported
N N Y Y
Web Servers
supported:
Microsoft llS Y Y Y Y
Sun One Web Server O Y Y Y
Lotus Domino Y Y Y Y
IBM HTTP Server O Y Y Y
Oracle HTTP Server N Y Y Y
Domino Go N Y Y Y
Red Hat Apache O Y Y Y
ASF Apache A N Y N
Other important web
servers supported
N N N N
Helpdesk Systems
supported:
BMC Remedy Service
management
O Y Y N
Peregrine (HP) N Y A N
Epicor ITSM N Y A N
FrontRange ITSM N Y A N
HP Open View Service
Desk
N Y A N
CA Unicenter Service
Desk
N Y A N
IBM Tivoli Service
Request Manager
N N A N
Other helpdesk
systems supported
N N N N
CHAPTER 6: TECHNOLOGY COMPARISON
107
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
INFRASTRUCTURE SUPPORTED (continued)
Architectures
supported:
ODBC Y Y Y Y Y
UDI Y N N N N
JDBC Y Y Y N Y
ADL N N N N N
XAM N N N N N
AJAX Y N Y Y Y
ECMA N N N Y Y
Other important
architectures supported
Y N N Y N
Web Access Control
Facilities Supported:
IBM – Tivoli Access
Manager
N N N Y Y
CA – Siteminder Y N N Y Y
Sun – Java System
Access Manager
N N N Y Y
RSA – ClearTrust N N N Y Y
BMC Web Access
Manager
N N N N Y
Evidian Access
Manager
N N Y N Y
Oracle Access
Manager
N N N Y Y
HTTP protocol controls Y N Y Y Y
Use of proxy-based
web agents
Y N Y Y Y
Other important web
access control facilities
supported
Y N N Y N
IDENTITY AND ACCESS MANAGEMENT 2011/12
108
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
INFRASTRUCTURE SUPPORTED (continued)
Architectures
supported:
ODBC Y Y Y Y
UDI N Y N Y
JDBC N Y Y Y
ADL N Y N N
XAM N Y N N
AJAX Y Y Y Y
ECMA N Y N N
Other important
architectures supported
N N Y N
Web Access Control
Facilities Supported:
IBM – Tivoli Access
Manager
Y Y Y N
CA – Siteminder Y Y Y N
Sun – Java System
Access Manager
Y Y Y N
RSA – ClearTrust Y Y Y Y
BMC Web Access
Manager
Y Y Y N
Evidian Access
Manager
Y N Y N
Oracle Access
Manager
Y N Y N
HTTP protocol controls Y N Y Y
Use of proxy-based
web agents
Y N Y Y
Other important web
access control facilities
supported
N N Y N
CHAPTER 6: TECHNOLOGY COMPARISON
109
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
STANDARDS AND AUTHORITIES
Standards and
Authorities
Supported by the
Solution Include:
Kantara – Identity
Assurance Framework
Y Y Y N Y
SAFE (Identity Validation
and Interoperability
Federation)
Y Y N Y Y
ITIL (Information
Technology
Infrastructure Library)
Y N Y Y Y
ITSM (IT Service
Management)
Y N Y Y Y
ITSEC (Information
Technology Security
Evaluation Certification)
Y Y Y N Y
Protocols Supported: SAML (Security
Assertion Markup
Language)
Y Y Y Y Y
Microsoft Information
Card
Y Y N Y Y
WS Federation Y N Y Y Y
WS-Security Y N Y Y Y
RADIUS (Remote
Authentication Dial-In
User Service)
Y N Y Y Y
SASL (Simple
Authentication and
Security Layer protocol)
N N Y N Y
XACML – eXtensible
Access Control Markup
Language
N Y Y N Y
JAAS – Java
Authentication and
Authorisation Services
Y N Y N Y
ID-FF – Identity
Federation Framework
Y N Y N Y
ID-WSF – Identity Web
services Framework
N N Y N Y
ID-SIS – Identity Service
Interface Specification
N N Y N N
Kerberos (secure
authentication
methodology)
Y Y Y Y Y
FTP A N N Y Y
HTTP Y Y Y Y Y
SMTP Y N N Y Y
WebDav Y N N N Y
SOAP Y Y Y Y Y
Other important
communication
protocols supported
Y N N Y Y
IDENTITY AND ACCESS MANAGEMENT 2011/12
110
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
STANDARDS AND AUTHORITIES
Standards and
Authorities
Supported by the
Solution Include:
Kantara – Identity
Assurance Framework
N Y Y Y
SAFE (Identity Validation
and Interoperability
Federation)
N Y N Y
ITIL (Information
Technology
Infrastructure Library)
Y Y Y N
ITSM (IT Service
Management)
Y Y N N
ITSEC (Information
Technology Security
Evaluation Certification)
Y Y N Y
Protocols Supported: SAML (Security
Assertion Markup
Language)
Y Y Y Y
Microsoft Information
Card
Y Y Y Y
WS Federation Y Y Y Y
WS-Security Y Y Y Y
RADIUS (Remote
Authentication Dial-In
User Service)
Y Y Y Y
SASL (Simple
Authentication and
Security Layer protocol)
Y Y Y Y
XACML – eXtensible
Access Control Markup
Language
N N Y Y
JAAS – Java
Authentication and
Authorisation Services
N Y Y Y
ID-FF – Identity
Federation Framework
N Y Y Y
ID-WSF – Identity Web
services Framework
N Y Y Y
ID-SIS – Identity Service
Interface Specification
N Y Y Y
Kerberos (secure
authentication
methodology)
Y Y Y Y
FTP Y Y Y N
HTTP Y Y Y Y
SMTP Y Y Y Y
WebDav Y Y Y N
SOAP Y Y Y Y
Other important
communication
protocols supported
N N N N
CHAPTER 6: TECHNOLOGY COMPARISON
111
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
CA– CA
Identity and
Access
Management
Suite
Entrust –
Entrust
IdentityGuard,
GetAccess, &
Transaction
Guard
Evidian

Evidian
IAM
Suite
(version
8)
Hitachi

Hitachi-
ID
Portfolio
IBM – IBM
Tivoli
Identity and
Access
Management
Products
STANDARDS AND AUTHORITIES (continued)
Smart Card
Standards supported:
ISO7816 N N Y Y A
ISO 14443 N N Y N A
ISO 15693 N N Y N A
PC/SC N Y Y Y A
FIPS-201 Y Y Y Y A
HSPD-12 Y Y Y Y A
Biometric Standards
supported:
BioAPI N N Y A Y
BAPI N N Y A N
X9.84 N N Y A N
CDSA/HRS N N Y A N
ANSI/NIST ITL 2000 N N Y A N
IDENTITY AND ACCESS MANAGEMENT 2011/12
112
Key: Y = facilities are provided, N = facilities are not provided, O = provided by third party OEM, A = third party add on.
Microsoft –
Microsoft
Forefront
Identity
Manager 2010
and
Associated
Products
Novell –
Novell
Identity
Manager 4
Advanced
Edition
Oracle –
Oracle
Identity and
Access
Management
Suite –
Release 11g
RSA (The
Security
Division of
EMC) – RSA
Identity &
Access
Management
STANDARDS AND AUTHORITIES (continued)
Smart Card
Standards supported:
ISO7816 N Y A Y
ISO 14443 N N A N
ISO 15693 N N A N
PC/SC Y Y A Y
FIPS-201 N Y Y Y
HSPD-12 N Y Y Y
Biometric Standards
supported:
BioAPI N Y Y N
BAPI N N A N
X9.84 N Y A N
CDSA/HRS N N A N
ANSI/NIST ITL 2000 N N Y N
6.3 IAM Decision Matrix
The IAM Decision Matrix is a visual summary of the leading vendors and products in the IAM market
and of their capabilities, based on a quantitative assessment of their market impact and end-user
sentiment, as well as their functional reach and technical capabilities. Additionally, the IAM Decision
Matrix guides organizations looking to deploy IAM technologies to the vendors and solutions that they
should immediately shortlist, consider, or explore.
The following definitions are used for each of these recommendations:

Shortlist – These vendors’ IAM products should be part of most organizations’ shortlists for IAM
technology selection. This category includes the leading solutions, signifying that the vendor has
established a commanding market position with a product that is widely accepted as best of breed.

Consider – The vendors in this category have strong market positions and are selling and marketing
their IAM solutions well. Their products offer competitive functionality and good price and
performance, and should be considered as part of the technology selection process of most
organizations.

Explore – Solutions in this category have narrower applicability, and may have limitations in function
or in the vendor’s ability to execute. However, they may still be the best choice to meet specific
requirements and thus worth exploring as an organization develops its options.
CHAPTER 6: TECHNOLOGY COMPARISON
113
2
6.5
IBM
Novell
Oracle
Explore
Consider
Insufficient end
user feedback
Shortlist
Impact = 0 Impact = 10
Bubble size
represents
market impact
RSA
Hitachi
Microsoft
Evidian
7.0 7.5
Technology assessment (Scale 1-10)
S
e
n
t
i
m
e
n
t
(
s
c
a
l
e
1
-
1
0
)
8.0 8.5 9.0 9.5
3
4
5
6
7
8
9
CA
Entrust
Insufficient end user feedback
Figure 6.3.1: Identity and Access
Management Decision Matrix Source: Ovum
A successful IAM deployment is one that fully supports the organization’s overall identity management,
information access, business continuity, and regulatory compliance strategies. Therefore, a decision to
purchase one solution over another should be based on a broad array of factors including, but not
limited to, the degree of alignment between the solution’s features and functionality and the
organization’s specific objectives. As a result, organizations should consider Ovum’s recommendations
of shortlist, consider, and explore in the context of their specific business and solution requirements.
Within each category the vendor recommendations are listed in alphabetical order.
The leaders: CA, IBM, Novell, and Oracle
The four IAM majors have the highest scores in the technology dimension and have well-established,
mature products. They have the technology breadth and depth and services capabilities to be relevant
to the most complex IAM requirements at the largest enterprises. IBM has the highest customer
sentiment scores among the four vendors in the Shortlist category. In spite of its scale and the
transformational nature of the projects IBM handles, the company has an impressive execution record.
Through its Tivoli division IBM has a long presence in the identity-management sector, and has equally
well-established credentials in systems management.
From a technology and long-term usage standpoint CA is among the largest vendors in the IAM space,
it has one of the most comprehensive product portfolios, and has significant market presence across
all major industry sectors. Novell’s IAM approach retains a strong focus towards regulatory compliance.
Its product portfolio is relevant to all geographies, industry sectors, and enterprises of varying sizes. The
traditional heavy users of IAM, namely financial services, the public sector, healthcare, and
telecommunications, predictably form an important part of Novell’s installed base. Following the Sun
acquisition Oracle has brought together two IAM platforms that were both strong contenders in their
own right. It has done a good job of managing customer expectations after what was arguably the
largest IAM acquisition in the market to date. Oracle maintains a comprehensive IAM technology stack
that merits closer evaluation in most IAM selection processes.
All four vendors have a full suite of products and are successfully branching out into areas that are
adjacent to IAM and that Ovum believes will be increasingly relevant to IAM projects.
IDENTITY AND ACCESS MANAGEMENT 2011/12
114
Figure 6.3.2: Identity and Access Management
Decision Matrix (in alphabetical order) Source: Ovum
Shortlist Consider Explore
CA Evidian Entrust
IBM Hitachi RSA
Novell Microsoft
Oracle
Oracle and Sun Microsystems were both in the ‘Consider’ category in the 2008 edition of the IAM
Decision Matrix report. Collectively, the two vendors are now a formidable force and Oracle has moved
to the shortlist category. Oracle certainly has scale and broad-based recognition as an IAM vendor, and
the company has done a good job managing the inevitable concerns around its technology roadmap
following the Sun Microsystems acquisition. Specific guidelines around which product sets would be
strategic have been released, and existing users have been assured support for product lines that will
not be part of the strategic roadmap. To summarize, enterprises will not be forced to make difficult
decisions relating to the Oracle portfolio over the next few years.
Predictably, Oracle’s competitors launched a number of programs to benefit from the transition (such as
Novell announcing license-swap offers for Sun Microsystems’ IAM solutions). However, our research does
not indicate that their efforts have changed the market structure in any significant way. Oracle certainly has
one of the fullest IAM stacks now, and customers do not seem to have major concerns around the vendor’s
ability to manage the transition and the complex, overlapping set of offerings.
The challengers: Evidian, Hitachi, and Microsoft
These vendors are rated in the ‘consider’ category mainly because, although their IAM solutions are strong,
they don’t always match the depth, breadth, or resources provided by the ‘shortlist’ group.
Hitachi and Evidian are smaller vendors with impressive IAM suites. Hitachi-ID is a new entrant in the IAM
Decision Matrix, and the Canada-based IAM subsidiary of the Asia-Pacific giant has impressed with strong
customer sentiment scores. Hitachi-ID’s technology scores are also impressive. There is little to doubt
Hitachi’s strengths in most aspects of the IAM stack, however it does not play in the web SSO and access
control parts of the IAM market.
Evidian’s technology scores are impressive as well, and not very far off from Microsoft’s. Evidian has moved
up from an ‘Explore’ rating in the 2008 edition of the IAM Decision Matrix to the ‘Consider’ rating, largely on
account of its technology scores. Evidian brings two key strengths to the table: a strong presence in Europe
(particularly in France and Germany) and a strong focus on the healthcare industry, a sector that has distinct
and often unmet IAM requirements.
Microsoft’s IAM offering can now be considered to be comprehensive, it notches up strong technology scores
that are close to the lower end of the ‘Shortlist’ category. The vendor’s new Forefront Identity Manager
offering incorporates many well-proven tenets of IAM technology (such as business user-driven attestations
and access-request approvals). The new release, together with the vendor’s renowned ability to build and
sustain partnerships, has led to an offering that is very competitive. Across all industries Microsoft is the most
recognized IAM vendor and is now a strong contender for a diverse range of IAM requirements.
The Prospects: Entrust and RSA
Entrust and RSAmake up what Ovum calls the ‘explore’ category because their IAM offerings, although not
as deep or broad as others, have particular strong characteristics or functionality that will be a good fit for
organizations with specific needs or preferences.
Entrust, with its IdentityGuard, GetAccess, and TransactionGuard products, provides a good range of
identity management, risk-based authentication, access control, and real-time fraud detection facilities.
Their strength comes from an ability to build and deliver an integrated set of identity-driven protection
solutions that are relevant to the everyday business and operational needs of a wide-ranging group of
users. The company makes available a flexible range of single- and multi-factor authentication facilities
which allow organizations to put in place appropriate authentication facilities that balance operational
demands against business risk and regulatory compliance. Entrust enables organizations to build an
integrated identity-based approach to the management and control of user access.
RSAis the authentication market leader. It provides enterprise-class identity assurance products that address
risk and compliance issues that arise in highly regulated sectors such as finance, healthcare, telecoms, and
government. The company’s broad range of authentication services addresses all levels of secure access,
based on risk. Its range of authentication methods covers appliance, software, hosted (software-as-a-service,
SaaS), and on-premise operations. RSA provides an extensive range of IAM-based identity assurance
products and services which can be deployed to protect the operational systems and intellectual property of
public and private sector organizations. Its products are designed to minimize the risks associated with
inappropriate and unauthorized systems and account usage, and its protection services have been extended
to address fraudulent activity, accidental data leakage, and information and event monitoring.
CHAPTER 6: TECHNOLOGY COMPARISON
115
6.4 Vendor Analysis
CA: Identity and Access Management Radars
IDENTITY AND ACCESS MANAGEMENT 2011/12
116
CAis among the largest vendors in the IAM space, and its IAM portfolio is among the most comprehensive.
As such, its scores in the Market Impact and Technology dimensions reflect the vendor’s strengths. CA
scores well on most Technology attributes and has the highest-possible score, or close to the highest-
possible score, on Password Management, Enterprise and Web SSO, User Provisioning, Access Control,
and Federated Identity Management. The only Technology dimension in which CA’s score is less than
impressive is support for standards and authorities. In the Market Impact dimension, CA is among the top-
four vendors. However, for a vendor with an impressive market presence, CA does not score well on
Customer Sentiment, achieving less than average in most of our Customer Sentiment dimensions.
CA’s IAM portfolio comprises CASiteminder, Federation Manager, SOASecurity Manager, Access Control,
Role and Compliance Manager, Identity Manager, and Enterprise Log Manager, and the IAM portfolio is
currently in the r12 version. CA’s current IAM positioning focuses on “content-aware identity” with IAM and
DLP integration, IAM for virtualized environments, and cloud-delivered services (both IaaS and SaaS) also
incorporated into the IAM technology’s scope. GRC is another important aspect of CA’s IAM strategy. CA
has made a number of acquisitions in the IAM space in the last two to three years, and the acquisitions
reflect the vendor’s focus. In January 2009 the company acquired Orchestria, a DLP provider. In August
2010 it bought Arcot Technologies, a strong authentication and fraud prevention solution provider through
both on-premise installations and cloud-based infrastructure. This particular acquisition possibly also
signals CAexpansion beyond the enterprise market and into the consumer-facing advanced authentication
market, a space where RSA is a formidable force.
User sentiment radar
CA Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.1: CA Identity and
Access Management Radars Source: Ovum
In mid-2010 CA made a major cloud-related announcement, that scope of its cloud offerings include
provisioning and access management of Salesforce and Google Apps, enabling cloud providers to
secure their services and infrastructure. DLP and IAM integration are in their early stages, but Ovum
believes that CA is on the right path and agrees with its strategy of unifying these two hitherto (mostly)
disparate IAM streams.
Compliance is another focus area for CA. The company’s portfolio includes SIEM solutions integrated
with IAM solutions, and over the years CA has become an important IT GRC player as well. Overall, CA
is an acquisitive company and can be expected to be at the frontier of emerging requirements and
trends in the IAM market through both organic growth and acquisitions. The company has also been a
leader in all core areas of the IAM spectrum for a long time, and has filled critical gaps with acquisitions
whenever necessary. An example would be the 2008 acquisition of role management vendor Eurekify.
In the same year CA acquired IDFocus, a provider of SoD capabilities.
CA has significant presence across all major industry sectors, and its distribution across geographies
is reflective of the wider market, with North America its primary source of IAM revenues. Its IAM suite
has a distinct large-enterprise focus, with financial services among its most important sectors.
Recommendation: Shortlist
CA earns a “shortlist” rating primarily due to its high score in the Technology dimension. On a number
of technology fronts, particularly enterprise and web SSO (through the Siteminder product) CA defines
the best in class in the category. The vendor’s list of systems integrator partners is impressive, and the
nature of CA’s IAM portfolio evolution is in alignment with what Ovum believes is the way forward for
enterprises that have already made substantial investments in IAM. To summarize, CA is relevant to
IAM requirements of all flavors, from core-user provisioning rationalization to an enhanced state of
compliance, from employee-oriented requirements to large-scale consumer-facing requirements.
Entrust: Identity and Access Management Radars
CHAPTER 6: TECHNOLOGY COMPARISON
117
Entrust Maximum category score Average across vendors
Technology radar
Authentication technology
Infrastructure supported
Enterprise and web
single sign-on
Scalability
User provisioning Solution breadth
and depth
Password
management
Solution maturity
Access control Administration and
policy management
Federated identity management Standards and authorities
8
10
6
4
2
0 0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.2: Entrust Identity and
Access Management Radars Source: Ovum
Entrust provides three IAM solutions: IdentityGuard, GetAccess, and TransactionGuard. A strong
contender in the authentication and fraud management space, Entrust notches up impressive scores
across the Authentication and Password Management dimensions, and reasonably good scores across
the Access Control and Federated Identity Management dimensions. Entrust is relatively small
compared with the IAM suite heavyweights, but still large in comparison with the IAM vendors on our
lists that have a primarily regional presence, and Entrust’s Market Impact scores (including the
Recognition scores) reflect that relative position. However, the company expects to notch impressive
growth in the near term. The SME market (under 1,000 employees) represents a larger percentage of
revenues than average. Financial services and the public sector are the most important sectors by a
significant margin.
For this Decision Matrix, Entrust was not rated by enough customers for Ovum to aggregate and present
statistically significant Customer Sentiment scores. However, Ovum’s ongoing research does indicate
(and as has been reported before) that Entrust’s high-quality customer support and partner services are
important differentiators for the vendor. Entrust enjoys a renewal rate of 90%, which in Ovum’s opinion is
truly impressive in a sector that has seen more than a few projects run over budget and more than a few
disillusioned customers.
Entrust’s strengths are its strong authentication, adaptive or risk-based authentication, and fraud
management capabilities, and its solution has proven scalability in consumer-facing environments.
Regulatory controls essential for its target industries (primarily government, financial services, healthcare,
and telecommunications) are another of Entrust’s strengths. Entrust plays in three different IAM scenarios:
addressing external consumer-facing IAM challenges for banks and the technologies relevant to this
market, including its fraud management solution, TransactionGuard; addressing citizen identity
management issues for government agencies; and addressing standard employee-centric IAM
challenges, primarily for large enterprises. Across each of these three scenarios, strong authentication and
adaptive authentication are on the list of Entrust’s key strengths. Entrust is planning for higher-than-
average industry growth figures. Its long-term growth prospects are particularly bright, given the increase
in e-governance projects and citizen services everywhere, particularly in the Asia-Pacific market.
On the strong authentication front, Entrust covers the whole gamut, from grid and machine (authentication
of a preregistered machine) to out-of-band authentication and one-time-passwords routed to mobile
devices. Out-of-band authentication technology is a priority area for Entrust and an important part of the
vendor’s roadmap. In Ovum’s opinion, the range and control over transaction information that can be part
of an Entrust-enabled out-of-band authentication event sets the vendor apart. This point also serves as a
testament to Entrust’s strength in its chosen niche (as does the vendor’s score in the “Authentication”
Technology dimension). Its three products, IdentityGuard, GetAccess, and TransactionGuard, work in
conjunction to ensure that access to enterprise resources is controlled by a comprehensive understanding
of the user and the mode of authentication is appropriate for the risk level identified. IdentityGuard is the
risk-based authentication platform, and an important part of Entrust’s positioning (natural, given the
vendor’s target market) is the IdentityGuard solution’s ability to scale. GetAccess is the web access control
and web SSO solution. TransactionGuard is the realtime fraud detection solution (and naturally a lot more
relevant in the financial services scenario) and comprises Real Time Fraud Detection, FraudMart, and the
Open Fraud Intelligence Network.
For standard employee-oriented IAM challenges, Entrust conforms to all the prevailing notions of IAM
technology, including role-based access control, support for federation standards, workflows, and self-
service. And, of course, for the non-financial services and non-public sector entities, the case for Entrust
becomes particularly strong when there is a consumer-facing scenario.
Entrust’s positioning is focused on its adaptive authentication strengths with the implications of its
technology regarding cost-effectiveness. The overall positioning theme is in line with the standard current
IAM themes, quick ROI from enhanced self-service, and the resultant reduction in helpdesk costs.
Entrust was acquired by the private equity firm Thoma Bravo in July 2009. In the last two years Thoma
Bravo has acquired security and IT infrastructure management provider LANDesk and IT security
solutions provider SonicWall. However, Thoma Bravo’s portfolio of investments in the enterprise IT sector
encompasses vendors from very different areas. The private equity firm counts a supply chain
management application provider (Manugistics) and a customer relationship management application
provider (Consona Corporation) among its software investments. Therefore, it seems unlikely that the
acquisition will affect Entrust’s customers in the foreseeable future.
Recommendation: Explore
A moderate Technology score earns Entrust an “Explore” rating. Entrust is a strong contender in a
number of large, growing, and tough IAM niches. Its less-than-average score across important pieces
of the IAM portfolio (including E-SSO, Web SSO, User Provisioning, Access Control, and Federated
Identity Management) has led us to assign this rating. However, IAM scenarios that involve customer-
facing applications and require strong authentication certainly call for a closer evaluation of Entrust’s
offerings.
IDENTITY AND ACCESS MANAGEMENT 2011/12
118
Evidian: Identity and Access Management Radars
CHAPTER 6: TECHNOLOGY COMPARISON
119
User sentiment radar
Evidian Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.3: Evidian Identity and
Access Management Radars Source: Ovum
Although Evidian has a nearly full suite of IAM products, the vendor’s influence remains largely
restricted to its geographic niche, Europe. With an aggregate Technology score that is close to Microsoft
and right after the “Big Four” IAM suite providers, there can be little doubt that Evidian’s suite is
comprehensive. Evidian scores higher than average in a number of Technology dimensions, including
Enterprise and Web SSO, User Provisioning, Access Control, and support for standards and authorities.
The suite is found wanting across the Federated Identity Management and Infrastructure Supported
dimensions, particularly the latter. Evidian is a relatively small vendor, and client organizations outside
its geographic niche are much less likely to recognize it as a provider of IAM solutions. The vendor
expects higher-than-industry average growth, but its size limits its Market Impact score. In the Customer
Sentiment dimension, Evidian scores higher than average across the Client Engagement, Vertical
Specialization, and Customer Support dimensions. However, given its considerable focus on the
healthcare sector – healthcare is as important as financial services and rare among the vendors profiled
in this report – Ovum would have expected the vendor to register a higher score on customer’s
perception of its “Vertical Specialization.” The EMEA region accounts for the bulk of Evidian’s business
with the North American market registering a marginally higher contribution than the Asia-Pacific region.
This is an unusual geographic distribution for a leading IAM vendor. Another fact that points towards
Evidian’s status as a leading European IAM technology provider is the vendor’s partnership with
Microsoft, primarily in the European region (and for Evidian’s E-SSO product). Evidian partners with
Quest in North America and NEC in Asia-Pacific (most notably Japan).
Getting back to its industry focus, the public sector and telecommunications are important focus areas
in addition to financial services and healthcare. The company is working on industry-specific flavors of
its solutions and reports working on the “Evidian IAM Suite for healthcare,” which will include workflows
and provisioning connectors for typical healthcare environments.
With regard to market segments, most IAM suite vendors have a nearly complete medium-sized to large
company focus, and the sub-1,000-employee market (and even the sub-5,000 market) typically
accounts for a small percentage of revenues. The sub-5,000 market finds much greater representation
in the Evidian installed base compared with the other vendors profiled in this report. Although this could
be an unintended fallout of the vendor’s choice of sector – healthcare institutions in Europe tend to be
smaller than typical client organizations in other IAM technology-intensive sectors – Evidian’s portfolio
includes the “Ready-To-Go-SSO” edition (aimed at companies with 500–5,000 users), and the vendor
reports working on additional SME-focused packages.
The Evidian IAM Suite (Version 8) is a well-proven, mature product that supports all core areas of IAM,
including identity, access, and role management. The solution conforms to the modern tenets of IAM
management, such as strong authentication, role-based access management, audit-oriented
entitlements status reporting, and support for identity federation standards. Evidian’s positioning focuses
on the IAM basics, an integrated, organically developed product that is relatively easy to implement. To
summarize, Evidian is a perfectly competent IAM technology provider with strong geographic and sector
niches, but also a vendor that could significantly improve its presence across geographies.
Recommendation: Consider
Evidian has advanced on Ovum’s ranking from the “Explore” category in 2008’s Decision Matrix to the
“Consider” category. The vendor’s good scores in the Technology dimension (marginally lower than
Microsoft’s) and above-average Customer Sentiment score have led to its “Consider” rating. A strong
contender in Europe, Evidian merits closer evaluation by client organizations from that region. Also,
healthcare firms across regions would do well to take a closer look at Evidian’s offering, and the
vendor’s tailored offering for this sector is arguably more compelling than the Technology scores (which
are designed to be equally relevant to all sectors) seem to suggest. Overall, Evidian is a strong
contender that has carved a few very well-defined niches.
Hitachi-ID: Identity and Access Management Radars
IDENTITY AND ACCESS MANAGEMENT 2011/12
120
User sentiment radar
Hitachi Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.4: Hitachi-ID Identity and
Access Management Radars Source: Ovum
This is the first time Hitachi-ID has been included in the Ovum Identity and Access Management
Decision Matrix, and the vendor has scored well on multiple fronts. The vendor in its present form began
life in 2008 with Hitachi’s acquisition of M-Tech, and operates as a subsidiary of the Asia-Pacific giant.
The Hitachi-ID portfolio is strong on many IAM Technology dimensions, including User Provisioning and
Password Management. The vendor does not focus on the web access management and web and
enterprise SSO markets. Hitachi-ID Customer Sentiment scores are exceptional, and it outscores more
than eight of the other vendors profiled in this Decision Matrix on six of the eight Customer Sentiment
dimensions. The fact that Hitachi-ID’s IAM portfolio is one of the few (nearly) full-suite products that
have been built entirely organically could have a role to play in the exceptional Customer Sentiment
scores. Hitachi-ID is small compared with the IAM behemoths and derives less than 10% of its revenues
from the Asia-Pacific market. It therefore seems unlikely that the vendor is leveraging the scale of the
parent company in the fullest possible way. Hitachi-ID’s strengths are undeniable, and Ovum believes
that the company could significantly expand its installed base.
One interesting aspect of Hitachi-ID’s IAM suite is password synchronization for SSO as opposed to the
traditional method of system user authenticating, which manages credentials for all other systems.
Though not without its trade-offs, the password synchronization approach certainly has the potential to
reduce SSO complexities. The simplicity that password synchronization affords is part of a broader
Hitachi-ID theme, namely relatively low-cost IAM implementation. Low-cost implementation is Hitachi-
ID’s stated goal, and the company relies partly on a good range of preconfigured options for
implementation (such as preconfigured “most likely” workflows) and an impressive range of connectors
to target applications to realize its goal. Hitachi-ID is among the four top performers in the “Infrastructure
Supported” Technology dimension, which is highly unusual for an IAM vendor of its size. Only Novell,
CA, and IBM score higher than Hitachi-ID in this dimension, and none of the vendors of comparable
size score close to Hitachi. The IAM vendor’s role management capability set is comprehensive, and
support for cloud-delivered applications includes the now-mandatory set of SaaS applications, Google
Apps and Salesforce. Cloud and DLP are not a part of Hitachi’s branding and the vendor’s core
message remains simplicity and low TCO. For most its life, M-Tech Systems was relatively isolated and
focused on a customer demographic that did not have significant in-house IT talent and/or deep
systems integrator relationships, and this legacy is manifested in Hitachi-ID’s offerings.
Ovum believes that Hitachi-ID will continue to be valuable in deployment sites that are expanding the
scope of IAM from web access management and web SSO to a well-structured system for provisioning
and de-provisioning and password management. Hitachi’s offerings in the relatively smaller parts of
IAM, such as privileged user management, are impressive as well.
Recommendation: Consider
An impressive Customer Sentiment score and a Technology score that is just lower than the numbers
scored by the largest IAM vendors earns Hitachi a “Consider” rating. Hitachi’s Technology score is
marginally lower than Microsoft’s, which is impressive considering the Redmond-based giant’s range of
partnerships. The new entrant in the Decision Matrix has impressed on all fronts, and its positioning on
the Technology front is clear. Hitachi does not operate in the web SSO and Access Control markets,
preferring to rely on partnerships. Apart from these sub-markets the vendor has a full suite, and Ovum
believes the way forward for Hitachi is geographic expansion.
IBM: Identity and Access Management Radars
IBM is among the largest vendors in the IAM space, and its Market Impact scores reflect its status as
an identity and access behemoth. Scoring well across all three major dimensions, IBM registers the
highest Technology score, beating CA, Novell, and Oracle. IBM scores the highest or close to the
highest in our group of nine IAM vendors across most Technology dimensions, including Enterprise and
Web SSO, User Provisioning, Password Management, Access Control, Federated Identity
Management, and Infrastructure Supported. In terms of its market impact, IBM is predictably recognized
widely – IBM has one of the highest scores in the Recognition dimension – as an IAM suite provider
and has above-market-average growth plans. This is particularly impressive given the size of its IAM
business. In this research exercise the Customer Sentiment scores of the largest IAM vendors have
mostly been unimpressive, but IBM manages to beat this trend. Its Customer Sentiment scores are
above average in five of the eight Customer Sentiment dimensions.
CHAPTER 6: TECHNOLOGY COMPARISON
121
IBM’s IAM suite comprises Tivoli Identity and Access Manager, Tivoli Identity and Access Assurance,
Tivoli Access Manager for Enterprise Single Sign-on, Tivoli Identity Manager, Tivoli Access Manager for
e-business, Tivoli Access Manager for Operating Systems, Tivoli Federated Identity Manager, Tivoli
Federated Identity Manager Business Gateway, Tivoli Unified Single Sign on, and Tivoli Directory
Server. As this long list suggests, the portfolio is comprehensive. IBM’s score extends beyond the list
cited here into all adjacent areas to IAM, such as DLP, GRC, and SIEM.
The depth of IBM’s enterprise relationships allows security and service management concepts to be
brought into IAM projects more than for other vendors with extensive IT infrastructure management
portfolios. (Naturally, the overlap is lot is much more relevant to the professional services aspect of
implementation projects than Technology integration.) This implies that IBM has few peers when an
enterprise faces truly transformational problems. On the same note, the compliance problem is not just
tackled by technology – incidentally, IBM recently acquired GRC vendor OpenPages – or by IBM’s
formidable professional services team, but also by partnerships, such as the crucial one with Deloitte.
Content and the quality of professional services are important aspects of GRC, and IBM is certainly
strong in these areas. Although GRC is not part of this report’s scope, this adds to Ovum’s stance that
IBM’s strength in the core IAM and adjacent areas make it a truly formidable force when an enterprise
is faced with a multidimensional IAM challenge of significant scale. The counter argument to IBM’s
scale differentiator is the small vendor argument that their products have strong integration capabilities
with configurations that are mapped well to market requirements. However, there are areas within IAM,
such as user provisioning, where the requirements span far beyond IAM technology elements, which
means a large global enterprise has few real alternatives other than a vendor whose expertise runs the
gamut from industry-specific regulations to building connectors to sector-specific applications. This is
not to say that IBM does not have IAM solutions for smaller organizations, but that IBM’s true
differentiator is its ability to handle large-scale problems through the size and scale of its professional
services division and by orchestrating the strengths of its partners.
IDENTITY AND ACCESS MANAGEMENT 2011/12
122
User sentiment radar
IBM Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.5: IBM Identity and
Access Management Radars Source: Ovum
Recommendation: Shortlist
The highest Technology rating among the top-nine vendors in the IAM market and an above-average
Customer Sentiment score earns IBM a “shortlist” rating. Across all three dimensions, including the size
of the vendor’s IAM business and the high recognition its IAM business receives, it is clear that IBM is
at the top in the IAM market. Transformational IAM problems require a vendor with IBM’s diverse skill
sets and scale, and its position among the top IAM vendors reflects this.
Microsoft: Identity and Access Management Radars
CHAPTER 6: TECHNOLOGY COMPARISON
123
User sentiment radar
Microsoft Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.6: Microsoft Identity and
Access Management Radars Source: Ovum
As would be expected of Microsoft in any enterprise IT market, the vendor’s products and role in the
sector are widely recognized and understood. Predictably, our research indicates that Microsoft’s IAM
market impact is impressive. In addition, Microsoft scores well on the Technology front, registering
impressive scores across the Enterprise and Web SSO, User Provisioning, Password Management,
Access Control, and Federated Identity Management dimensions. Even in the Customer Sentiment
dimension, Microsoft scores higher than average on Product Quality, Portfolio Depth, Service Levels,
and Client Engagement. Although certainly among the leading IAM vendors, Microsoft scores among
the lowest on the Infrastructure Supported dimension, limiting its applicability in non-Microsoft
environments.
Forefront Identity Manager 2010, the Windows Server 2008 R2 Active Directory, Active Directory
Federation Services 2.0, and Windows Identity Foundation are the key components of the Microsoft
IAM suite. Forefront Identity Manager (FIM) replaces Identity Lifecycle Manager 2007 and is aimed at
promoting self-service, integration with familiar Microsoft tools, and enhancing ease of use, which in
turn promotes business-user participation. FIM is the seat of policy management, certificate
management, and user management, and AD Federation Services enables authentication across
domains.
Microsoft partners with major web access management, user provisioning, and E-SSO providers such
as Hitachi-ID, Evidian, and Courion. Microsoft’s current IAM positioning is focused on its new and
improved FIM. Related solutions and areas such as cloud, SIEM, IT GRC, and DLP integration do not
seem to be a focus area (although the Redmond giant does have the capabilities for each in some form,
through partnerships, or both). FIM’s capabilities ease compliance and reduce helpdesk and IT
administration costs, and Microsoft is firmly in line with the prevailing industry notions of the evolution
of the IAM function. There is little to doubt Microsoft’s status as a full-blown IAM vendor, with a
Technology aggregate score that comes right after the IAM heavyweights, CA, IBM, Novell, and Oracle.
On a related note, Microsoft’s Customer Sentiment scores indicate that the need for tailored IAM
solutions by industry is very real. There are considerable differences in how the vendors have scored
in the “Vertical Specialization” Customer Sentiment dimension. Ovum believes the one industry that
requires a distinct sector focus is the healthcare sector, on account of the many sector-specific
applications and sometimes-unique user habits, and insight from vendors indicates varying degrees of
focus on the sector. In early 2010, Microsoft bought Sentillion, a provider of applications for the
healthcare sector. Sentillion’s portfolio includes SSO solutions, and Microsoft announced that the
company would consider how Sentillion’s IAM capabilities might work in conjunction with FIM 2010.
By most accounts Microsoft is a low-cost provider of IAM technology and has a formidable partner
network. A good percentage of small and medium sized enterprises (SMEs) are likely to turn to
Microsoft first as their IAM technology stack provider. Therefore, it is good news that Microsoft has
incorporated the well-proven concepts of business-driven group requests, approval workflows, identity
synchronization, and self-service into its latest release. Finally, it is important to mention in this context
that the Microsoft installed base does not lack large-enterprise deployment cases.
Recommendation: Consider
Partly through its well-known partnership development capabilities, Microsoft has assembled an IAM
offering that marginally trails the “Big Four” vendors. Its Technology score, alongside a well-above-average
Customer Sentiment ranking, ensures that Microsoft is placed in the “Consider” category. Predictably,
Microsoft falls below average on the “Infrastructure Supported” category, registering a series of Ns on
Ovum’s list of key platforms. Microsoft’s rating is unchanged from the previous edition of the Decision
Matrix, and there is little to doubt its role as a full IAM stack provider, particularly for Microsoft shops.
Novell: Identity and Access Management Radars
Novell’s IAM suite (Identity Manager r4) is part of the company’s Identity and Security Management (ISM)
unit, and the vendor provides a comprehensive suite of IAM solutions. Novell scores close to highest in the
Technology dimension of the Decision Matrix framework, and is ranked high across most Technology
categories. The Linux major almost achieves the highest scores in the Authentication dimension, and equal
to or close to the best scores possible (according to our evaluation parameters) against User Provisioning,
Password Management, Access Control, and Federated Identity Management. There are a number of
noteworthy aspects to Novell’s IAM positioning, such as its e-Directory and bundling of Novell Identity
Manager, Access Manager, and SecureLogin with Sentinel, the leading SIEM product. The third important
aspect of Novell’s IAM suite is its support for a wide range of platforms, an approach that is manifested in
Novell’s score on the “Infrastructure Supported” Technology dimension, which is close to the highest.
Another important differentiator is the home-grown nature of Novell’s IAM suite. How well the different
pieces of IAM integrate together remains a critical success factor in this market, and Novell certainly scores
well on this front. However, Novell has not shied away from acquisitions when required. Most notably, it
acquired Fortify in 2009 for the latter’s privileged password management technology.
However, Novell has so far been unable to convert its exceptional technical strengths into industry-
leader status in terms of market impact. The vendor scores well below its other IAM suite heavyweights,
such as IBM, Oracle, and CA, in the Market Impact dimension, and growth in recent years has been
uneven. Its Customer Sentiment scores are also average for a vendor with significant technical depth.
IDENTITY AND ACCESS MANAGEMENT 2011/12
124
Interestingly, the customer perception of Novell’s portfolio depth is not as high as the vendor’s
Technology scores seem to suggest, possibly indicating that there is scope for better marketing of its
status as an IAM heavyweight. A related point here is that Novell lacks the major systems integrator
partnerships that every major IAM stack provider has had for some time. While Novell’s major
competitors all have partnerships spanning the global majors (such as Deloitte), Novell’s roadmap does
not seem to indicate a focus on expanding the scope of its partnerships.
Novell’s current market positioning focuses on compliance (which has always been a major area of
focus), on managing identity and access in virtualized environments, and on incorporating cloud-
delivered services into its IAM scope. On the cloud front, Novell’s scope includes provisioning and SSO
for cloud-delivered applications, controlling mixed environments in which workloads are moved across
data centers to cloud infrastructure, and offering hosted and MSP-provided identity services that could
be particularly appealing to the SME market. On the compliance front, the focus is on providing audit-
level reporting, user activity monitoring and correlation, and SoD violation monitoring. The SAP Novell
partnership with regards to GRC, which involves integration (and more) of SAP’s GRC products with
Novell’s ISM solutions, is noteworthy in this context.
As would be expected of a vendor of Novell’s nature, the IAM portfolio is relevant to all geographies,
industry sectors, and enterprises of varying sizes. The traditional heavy users of IAM, namely financial
services, the public sector, healthcare, and telecommunications, predictably form an important part of
Novell’s installed base. However, it is important to mention that Novell has significant presence in the
utilities and manufacturing sectors.
CHAPTER 6: TECHNOLOGY COMPARISON
125
User sentiment radar
Novell Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.7: Novell Identity and
Access Management Radars Source: Ovum
Recommendation: Shortlist
Novell’s close-to-highest score in the Technology dimension and moderate Customer Sentiment score
have placed the vendor in the “Shortlist” category. The Market Impact scores are lower than would be
expected of an IAM vendor of Novell’s stature. However, there is little to doubt the comprehensive
nature of Novell’s offering and its relevance to diverse IAM requirements. The research exercise for this
report is based exclusively on vendors’ performance in the IAM category, and Ovum advises enterprises
to incorporate their understanding of the vendor’s overall business into any selection decisions.
Oracle: Identity and Access Management Radars
IDENTITY AND ACCESS MANAGEMENT 2011/12
126
User sentiment radar
Oracle Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.8: Oracle Identity and
Access Management Radars Source: Ovum
Always a very prominent IAM vendor, Oracle has become even more of a behemoth following its Sun
Microsystems acquisition. The vendor scores well in all Ovum’s evaluation dimensions, particularly in the
Technology dimension and Market Impact, in which it achieves the highest overall score. Oracle scores
well in all the Technology dimensions, registering maximum possible scores or close to maximum possible
scores in User Provisioning, Enterprise and Web SSO, Password Management, Federated Identity
Management, and Infrastructure Supported. With over 5,000 IAM customers, Oracle has presence across
all major sectors, with the traditional IAM intensive sectors, financial services, healthcare, and the public
sector leading. Its geographic mix of revenues is in line with the wider market, with North America leading.
Of course, no discussion on Oracle is possible without touching on the problem of technology
integration post Sun Microsystems acquisition, and the related announcements (and the July 2010
Oracle Identity 11g release) do not compel existing Sun and Oracle customers to make significant
decisions soon (or at least over the next two years). Its plans involve rebranding of products and
prioritization in the case of overlapping capabilities (in accordance with Oracle’s “continue and
converge” policy), but existing commitments will be honored for product lines that will no longer be part
of Oracle’s strategic IAM roadmap.
Oracle’s competitors, CA and Novell, had launched “license exchange” programs to take advantage of
the post-acquisition situation, but Ovum has seen little evidence that the state of the market has
changed in any significant way as a result of these competitors’ initiatives. Oracle’s Customer Sentiment
scores have not changed significantly since the last time Ovum surveyed its enterprise clients,
indicating that the Sun acquisition has not led to much change in perception about Oracle’s products
and the vendor’s service delivery capabilities. The level of overlap across its many technology areas is
significant, but in keeping with Oracle’s broader post-acquisition technology integration policy, some
reasonably specific guidelines on the roadmap were released in January 2010. Parts of Sun
Microsystems’ IAM portfolio have been added to the Oracle IAM portfolio, renamed and repositioned,
and will now be part of the common strategic roadmap. Sun’s Role Manager stays and will form the
foundation for Oracle Identity Analytics. Sun Directory Server Enterprise Edition, Oracle Internet
Directory, and Oracle Virtual Directory will now collectively form a new product called Oracle Directory
Services Plus. Sun’s Open SSO Fedlet (renamed Oracle Open SSO Fedlet) and Secure Token Service
(now Oracle OpenSTS) are now part of the strategic roadmap. Sun’s Identity Manager is now known
as Oracle Waveset, and Oracle will continue developing Oracle Identity Manager to make the solution
familiar to Waveset users. Oracle is offering existing Sun IAM customers equivalent Oracle products for
free and plans to release migration tools in 2011.
Although the scale and level of overlap is unique, acquisitions are not a new concept for the Oracle IAM
team. Oracle’s IAM portfolio has been built partly through a series of acquisitions. In 2007, Oracle
acquired Bridgestream, a role management vendor, and Bharosa, a provider of online fraud
management and strong authentication. Although Oracle’s overall direction partly reflects the goals of
IAM suite vendors (such as superior role management and IAM integration with GRC), the focus of the
July 2010 11g release is on integrating the product stack, and the vendor’s approach has been branded
“Service Oriented Security.” Service Oriented Security is aimed at providing developers with a set of
reusable IAM services, such as authentication, authorization, administration, and auditing, which can
be leveraged as part of any application development effort. The approach is not new, and Oracle has
been talking about this since at least 2008.
In the long term, migration for some of Oracle’s and the erstwhile Sun Microsystems’ customers would
not exactly be painless. However, the portfolio collectively offers the right pieces for a diverse set of
requirements, the lessons learned from many post-merger technology acquisitions are being used to
lessen the pain as much as possible, and nobody is being forced to rip and replace anything in the short
term. To summarize, Oracle provides a comprehensive set of IAM capabilities, and its focus is on
enabling consumers of IAM technology to use elements of the considerable Oracle IAM stack flexibly.
Recommendation: Shortlist
Arguably the most acquisitive enterprise software company in the world, Oracle has brought together
two IAM portfolios that were both strong contenders in their own right. A high Technology score and a
Customer Sentiment score that is competitive among vendors of a similar scale earn the new IAM entity
a “shortlist” rating. Oracle has done a good job of managing customer concerns after what was arguably
the largest IAM acquisition in the market to date. Overall, this is certainly a comprehensive IAM stack
and a vendor that merits closer evaluation in most identity and access technology selection scenarios.
RSA Security: Identity and Access Management Radars
RSA, the security division of EMC, is the authentication market leader and partners with Courion for
provisioning and role management. The RSA IAM suite comprises RSAAccess Manager, RSA Identity
Protection and Verification, RSA Federated Identity Manager, RSA SecurID, and RSA Adaptive
Authentication. Strong authentication, adaptive authentication, access control, federated identity
management, and DLP and SIEM are RSA’s primary focus areas. RSA’s overall Technology score,
given its specialization strategy, is predictably low compared with the heavyweights and even much
smaller vendors such as Hitachi-ID and Evidian. As would be expected of RSA, the vendor’s
Authentication score is the highest. However, the vendor scores well in the Market Impact dimension
and is as well recognized as an IAM provider as the largest full-suite vendors. In the Customer
Sentiment dimension, RSA performs reasonably well, beating the average in all dimensions, except,
predictably, Portfolio Depth, and less predictably, Client Engagement.
CHAPTER 6: TECHNOLOGY COMPARISON
127
Getting back to the Market Impact dimension, RSA’s primary sectors are financial services, government,
healthcare, and telecoms. The geographic spread of RSA’s business aligns well with the market average,
with North America leading and the Asia-Pacific market accounting for lower revenues than the EMEAregion.
IDENTITY AND ACCESS MANAGEMENT 2011/12
128
User sentiment radar
RSA Maximum category score Average across vendors
Technology radar
Product quality
Authentication technology
Portfolio depth
Infrastructure supported
Customer
support
Enterprise and web single sign-on Scalability
User provisioning Solution breadth and depth
Password management Solution maturity
Access control Administration and policy management
Federated identity management Standards and authorities
Client
engagement
Service
capabilities
Financial
stability
Vertical
specialization
Service
levels
8
10
6
4
2
0
8
6
4
2
0
10
0
2
4
6
8
10
Revenue Regional presence
Revenue growth Size-band presence
Impact radar
Recognition
Vertical presence
Figure 6.4.9: RSA Identity and
Access Management Radars Source: Ovum
RSA Security typically plays the role of the best-of-breed provider in deals that involve the IAM suite
providers, and the large-enterprise segment is its focus area. On the strong authorization front, RSA
delivers strong authentication through both hardware and software tokens and also provides digital
certificates and knowledge-based authentication services. RSA’s adaptive authentication services
provide risk-based authentication services to consumers of web-delivered applications in a way that is
policy-based, and the level of authentication enforced is based on the risk profile of the requestor. The
promise of strong authentication has been moderated by the realization that strong authentication does
not scale well and a risk-based approach is necessary.
To that end, RSA provides different levels of authentication, such as “what you know”-based (user-
selected images), invisible or automatic (device identification-based), one-time-password-based (which
could be based on both hardware and software tokens), and out-of-band. The last approach, out-of-
band authentication, is relatively new and has significant growth potential for high-risk transactions,
given the rise of “man-in-the-middle” attacks. To summarize, RSA has few peers when a cost-effective
and strong access control system is necessary, particularly when transactions and a stringent
regulatory environment are involved. The same capabilities and strategic objectives make RSAa strong
contender when a large mobile workforce or large partner community are involved. With regard to the
latter, Ovum notes that RSA scores close to the maximum in the Federated Identity Management
dimension.
Across the areas adjacent to IAM, SIEM, DLP, and GRC, RSA is strong and active. However, it is not
clear to what extent these solutions currently work in conjunction with the IAM suite. IAM coupled with
SIEM and DLP is certainly part of how IAM is likely to shape up in the medium term, and RSA is well
placed to benefit from the need to formulate a risk, compliance, and content-focused approach to IAM
management. In January 2010, parent company EMC acquired Archer Technologies, a leading provider
of GRC solutions. RSA’s self-reported goals driving the acquisition included GRC working in conjunction
with RSA’s DLP and SIEM solutions.
Recommendation: Explore
The strong authentication specialist would hardly claim to be an IAM stack vendor, and has stable and
mature partnerships to fill the areas in the market that RSA does not operate in. Naturally, its aggregate
Technology scores reflect that focus. However, the RSA scores this year are lower than what ordinarily
would be expected of RSA on account of the vendor quitting the E-SSO business in 2009. These lower-
than-expected Technology scores and a Customer Sentiment score that is marginally lower than
average have led Ovum to place RSA Security in the Explore category.
CHAPTER 6: TECHNOLOGY COMPARISON
129
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 7:
Technology Audits
Butler Group
Incorporating
OVUM
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CA:
CA Identity and Access
Management Suite
Butler Group
Incorporating
OVUM
CATALYST
The CA Identity and Access Management Suite is a comprehensive set of products that, either
collectively or individually, can be used to effectively meet the identity management requirements of its
customers. The identity management and access control requirements of each organization are driven
by a number of business and security factors, including compliance, audit, data protection, and risk
awareness. Within its content-aware identity and access management (IAM) product portfolio, CA
Technologies has the range and depth of technology to address the specific identity management
requirements of most organizations.

CA IAM has three focus areas: managing identity, controlling user access, and maintaining control
over the use of information. All of these issues are relevant to the vast majority of business
organizations.

This extended IAM solution will be of interest to any organization that recognizes the need to
address compliance issues by combining its identity management and information protection
strategies.

Platform coverage is broad, making the solution suitable for distributed and mainframe operations,
as well as for virtual, on-premise, and cloud environments.
KEY FINDINGS
OVUM VIEW
CA Technologies has been actively involved in the management of identity and the delivery of user and
business protection services that control enterprise access for more than a decade. During this period,
the company has developed, acquired and integrated an extensive range of identity-driven security
products, which now shape its ‘content-aware’ approach to IAM.
CA
CA Identity and Access Management Suite
CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE
135
TECHNOLOGY AUDIT
Strengths:
Centralized IAM that includes user provisioning and integrated workflow.
Provides a comprehensive range of user activity and compliance reporting
facilities.
Controls the actions of privileged users for improved security.
Web access management and web single sign-on (SSO) provide secure, user-
friendly web access.
Integration of data loss prevention (DLP) content knowledge provides improved
control over information resources.
Weaknesses:
Industry concerns over cloud security may hold back future progress in this area.
Key Facts:
i CA Technologies is aligning the use of DLP services with its IAM offering.
i Security information and event reporting add enhanced audit and compliance
services.
The CA IAM Suite consists of an integrated set of products and services. Universal workflow,
provisioning and role modeling, access management, federation, compliance, reporting, and other core
IAM services can be leveraged across the CA IAM Suite, making CA Technologies one of only a small
number of vendors that have an end-to-end, full-lifecycle IAM capability.
Importantly, CA Technologies’ content-aware approach to IAM adheres strongly to industry standards.
This helps to position the company as a software vendor that can fully support business and operational
requirements in order to simplify infrastructure security processes, while continuing to work with
products that retain a common look and feel across the business. CA Technologies supports a wide
range of common hardware and application platforms, directories, and databases, and has the ability
to work with mixed environments that include traditional, virtual, and cloud-based models. Also,
because of its range of information protection products, CA Technologies has extended its identity
management focus to include data usage and management services, including DLP.
Recommendations

The target market for CA Technologies’ content-aware IAM Suite is predominantly large enterprise
customers. These are typically organizations with over 5,000 employees or businesses with annual
revenues that exceed $500m. Smaller organizations working in highly regulated industries can also gain
value from deploying the product set, but need to consider the cost and operational justifications carefully.

Universally, the strongest markets for IAM are those sectors that are highly regulated such as financial
services, government, and healthcare. CATechnologies’ customer base is consistent with this, although,
because of the maturity of its product set, it has a presence in most vertical markets.

CA Technologies is well positioned to support new and emerging markets, particularly where growth is
supported by the use of virtual systems and cloud-based services. Its access control product helps to not
only secure virtual systems, but also the hypervisor itself, and its log management facilities provide
consistent activity and compliance reporting across all environments.
SOLUTION OVERVIEW
CA Technologies’ IAM approach is comprehensive, due to its range of available products, and wide-
ranging, as it can provide numerous levels of business and user protection. The fact that it is wide-ranging
is predominantly a strength, as whatever range of user and business protection services an organization
requires, CATechnologies is likely to have a product to address it. In addition, the breadth of the solution,
and the fact that it is highly integrated, can often simplify management of the components through
common interfaces, among others. However, with any IAM solution (whether from a single vendor or
multiple vendors), a phased approach is highly recommended. Each organization needs to be aware that
the foundations of IAM ought to be fully addressed before taking on extended elements such as identity
federation and external user management, yet these elements continue to be seen as market drivers.
CA Technologies’ content-aware IAM suite consists of an integrated set of products that automate the
management of users and their identity-based access to information, throughout the lifecycle of their
relationship with an organization and its systems. To put this into context, CA Technologies’ IAM Suite
provides a range of core IAM services that manage identity, control user access, and control use of
information resources. They are administered through a centralized workflow-based identity lifecycle
management approach that includes the creation, modification, deletion, and audit level reporting of
user-access rights. Core IAM facilities include:

Entitlement-based role management, which delivers full-featured automated role discovery, real-time
role management, entitlement management, and audit and analysis reporting.

Web and enterprise access management, which protects against the improper use of key applications
through its ability to restrict and control web and enterprise application access.

Web and enterprise SSO, which provides secure single-source access to web and enterprise facilities.

Federated identity management (FIM), which allows identities and their associated access rights to be
shared across business operations and with third-party business partners.

Privileged-user controls are addressed on two levels: privileged-user password management provides
one-time administrator passwords and separation-of-duty controls; and privileged-user management
delivers granular controls for operating system resources.
IDENTITY AND ACCESS MANAGEMENT 2011/12
136

Unix Authentication Broker enables Unix and Linux servers to authenticate users through their Active
Directory (AD) credentials.

Service-oriented architecture (SOA) security, including web services security controls.

Software development kit (SDK) facilities, which allow IAM facilities to be embedded in homegrown
applications.

Software-based strong authentication, including risk-based authentication for fraud prevention.
An extended range of user and data protection facilities to address business and operational security
requirements is also available. This includes:

A suite of DLP products that can be used to discover, classify, and control the use of sensitive
information.

Log management, analysis, and reporting facilities that help organizations to understand and
manage user access to information resources and, as a result, help to address compliance and audit
requirements.
The products that CA Technologies uses to deliver its range of IAM protection services are all well
established within the identity management industry, and include:

CA Identity Manager (version 12.5).

CA SiteMinder (version 12.0).

CAAccess Manager (version 12.5).

CA Role & Compliance Manager (version 12.5).

CA Federation Manager (version 12.1).

CA SOA Security Manager (version 12.1).

CA DLP (version 12.5).

CA Enterprise Log Manager (version 12.1).
The architecture diagram in Figure 1 identifies where each of these products fits within CA
Technologies’ IAM infrastructure and how they interact as a complete IAM suite. It also shows how core
IAM services such as provisioning, access entitlements and audit reporting are delivered.
CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE
137
Role & Compliance Manager Identity Manager
Access Control SiteMinder
Entitlements
(Access)
Provision
(Identities, Access)
Audit
A
u
d
i
t
S
u
m
m
a
r
y
Enterprise Log Manager
User Activity and Compliance Reporting
DLP
Data loss
prevention
Host Access
Management
Privileged
User Mgt
SOA Federation
Web Access
Mgt w/SSO
Role
Management
ID
Governance
Provisioning ID Admin
Figure 1: The CA Identity and
Access Management Solution Source: CA Technologies
SOLUTION ANALYSIS
Authentication
Organizations need to maintain strong, efficient and, at the same time, appropriate user-authentication
systems: strong, to address compliance and systems protection issues; efficient, to ensure that users
are able to fulfill their roles; and appropriate, to allow user access that does not inhibit productivity. CA
Technologies promotes user efficiency through its centrally managed authentication, authorization, and
SSO facilities, and its automated user provisioning services. Its proposition also extends to the use of
federation across collaborative business relationships.
CA SiteMinder manages the authentication of users, and controls which users are authorized to access
which applications. It retains the accountability for determining the conditions and controls under which
normal access and extended user privileges can be provided. At the same time, it retains responsibility
for simplifying access for user groups, relieving the systems administrator’s security burden, and
utilizing its monitoring, policy enforcement and reporting services to address necessary regulatory
compliance issues. SiteMinder supports a wide range of authentication techniques, which is an issue
of growing importance to most business organizations as the number and range of information-access
demands continues to grow.
The CA IAM suite also includes the WebFort and RiskFort products, which were part of the recent
acquisition of Arcot. Arcot WebFort is a software-only multi-factor authentication solution that is
integrated with CA SiteMinder to transparently protect and verify web users’ identities. It protects users
from identity theft and fraud without changing their familiar sign-on experience and without the need for
hardware tokens. Arcot RiskFort is a fraud detection and risk-based security system that prevents fraud
in both consumer and enterprise online services. It also provides organizations with the ability to
determine and enforce different levels of authentication based on the acceptable amount of risk for each
transaction. When combined with CA SiteMinder, this set of products provides high flexibility and
increased security for user authentication services.
Provisioning, role management, and certification
Provisioning, role management and certification are important elements of IAM. In the past, poor
management and maintenance have caused organizations to lose control over users, entitlements, and
roles. CATechnologies’ lifecycle approach begins with the initial creation of user identities. It then takes
into account the allocation of accounts and access entitlements that users require, includes the ongoing
modification and validation of the need for these entitlements as the user and their roles change, and
continues until the removal of provisioned rights on termination.
This approach makes use of role management and role mining capabilities within CA Role &
Compliance Manager to streamline the management of users. It also provides compliance processes
and controls, such as automated entitlements certification or segregation of duties policies, to ensure
that the relevant mandates are addressed. CA Identity Manager provides identity administration,
provisioning, and auditing for managing user identities. For web users, the product provides
provisioning and management of all usage rights and business roles.
From a cost and efficiency standpoint, many of the ongoing provisioning services offered can be set up
to be delivered using self-service and delegated administration facilities. CA Role & Compliance
Manager adds to the product set’s range of identity management services by streamlining the process
of defining, managing, and governing roles and entitlements on an ongoing basis. In addition, CA
Enterprise Log Manager provides audit-level user activity monitoring and compliance reporting to
complete the provisioning and role management picture.
Password management
Password management covers user authentication approaches, from those that are supported by the
use of simple static passwords, through to well structured, constantly changing password management
infrastructures that operate alongside core IAM components, including SSO, provisioning, role
management, and associated helpdesk services.
IDENTITY AND ACCESS MANAGEMENT 2011/12
138
At the high end of the password management arena, there is a particular need to provide controls that are
capable of dealing with privileged-user access. Privileged-user management and privileged-user password
management facilities are needed to ensure that key operating system resources and administrator access
rights are properly controlled. These are important security areas that many organizations have failed to
control, leading to operational system vulnerabilities and lax administrator controls.
CA Technologies provides privileged-user protection facilities that address both systems and administrator
control issues. Its Access Control product helps to reduce the risks involved in privileged usage by providing
more control over privileged users and their access rights. It addresses administrator access to enterprise
data, includes separation-of-duty controls, addresses server-to-server security across business networks
and, using CA Enterprise Log Manager’s facilities, it provides secure management reporting services.
Access control
For organizations in general, one of the most complex IAM issues revolves around maintaining
adequate levels of control over their system users. It is an ongoing requirement that has to be enforced
properly. CA Access Control addresses the across-enterprise access control demands of all common
systems resources. This includes providing control over all operational systems resources, including
systems, applications, programs, files and processes.
As already discussed, these controls are also required to enforce the separation of administrative duties
and server controls that are consistent with industry best practices and fulfill audit requirements.
FIM
Today’s interconnected business environments require partner interactions that involve shared access
to information, making closer collaboration a necessity. Federated partner networks and the need for
increased inter-company connectivity also bring with them serious complexity issues, which necessitate
FIM products that are able to share information securely and openly at a level that meets the needs of
each partner in a federated relationship.
CA Federation Manager is a browser-based product that supports federated relationships across
internal and external security domains. It controls secure SSO-based interoperability across security
domains, including the information-sharing (federated) partnerships that organizations choose to
activate with their business partners or cloud providers. The product’s role is to securely manage all
interactions between authorized partnerships, as users transact and collaborate on projects that cross
internal and external security boundaries. This involves enabling seamless access to third-party
applications, while at the same time using its automation services to drive efficiency and to support new
business opportunities.
Extended security management facilities
Included in CA Technologies’ extended content-aware IAM infrastructure is the ability to control how
information is being used. Its additional DLP and security information and event management (SIEM)
facilities allow organizations to discover, classify, manage and report on data usage.
CA DLP provides a range of data protection facilities that protect data-in-motion across networks, data-
in-use on endpoint devices, and data-at-rest on servers and storage repositories. Its use can be aligned
with CA Technologies’ core IAM products so that common usage policies and actions can be set up.
CA Enterprise Log Manager enables the filtering, correlation, and consolidation of information and
events, and provides reports that can be presented in a range of business and technical views. It also
provides a large number of pre-defined reports tailored to the requirements of specific international
regulations and best practices.
PRODUCT STRATEGY
Across most industries, the core need for identity-based control and protection systems is moving from
the use of owned and user-managed infrastructure systems to a mixed range of traditional and virtual
operations. The emerging use of cloud services also adds to the need for IAM facilities that can provide
operational consistency.
CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE
139
CA Technologies recognizes that, despite short-term security concerns, there will be growth in the use
of cloud-based environments. It is therefore positioning itself to take advantage of this up-and-coming
technology trend with a strategy that includes the provision of ‘security to the cloud’, which extends the
use of enterprise security facilities to cloud-based SSO and access control services. Its ‘security for the
cloud’ services provide security protection and secure operating environments for cloud providers, and
its ‘security from the cloud’ services provide security-as-a-service options for organizations that wish to
make use of cloud-based protection services.
MARKET OPPORTUNITY
The target market for CA Technologies and its IAM suite is large enterprises. The company’s
experiences with IAM show that while smaller organizations still need it, their problems are often less
inhibiting and generally less severe than those of their larger counterparts. CA Technologies has
customers in all markets, but with a strong emphasis on heavily regulated sectors such as financial
services, healthcare, and security-conscious areas of government and federal agencies.
The company’s products are sold worldwide, but almost two-thirds of its business is still done in the US,
with around one-third now coming from Europe, the Middle East and Africa (EMEA) and the emerging
Far East markets.
Almost 98% of sales are made direct-to-market using the company’s sales team, while the remaining
2% is conducted through resellers and business partners.
CATechnologies sees its main IAM competitors as large software vendors such as IBM and Oracle, and
to a lesser extent Novell and RSA, as well as Courion in specific areas.
GO TO MARKET STRATEGY
Two licensing models are available: perpetual licensing, with options that vary by product; and a
subscription model. In the former, for example, CA SiteMinder is licensed based on the number and
type of user, whereas CAAccess Control is licensed based on the number of servers being supported.
The subscription model, on the other hand, uses the same licensing metrics as the perpetual approach,
but payments are based on annual or multi-year agreements.
Key business and alliance partners include Atos Origin, Capgemini, and Deloitte, while country-based-
services partners include Devoteam, EDB, Fujitsu (Australia), Logica, and Telecom Italia.
CA Technologies has a number of specific technology and distribution partner relationships:

Radiant Logic – CA Technologies resells its Virtual Directory.

Vordel – the Vordel XML gateway for threat protection is fully integrated into the CA SOA Security
Manager product set as an original equipment manufacturer (OEM) product.

Others – CA Technologies also partners with over 50 additional technology partners through its
technology partner program, including ActivIdentity, Anakam, Imperva, KSI, SafeNet, and Sentrigo.
Future enhancements to the IAM product suite are included in CA Technologies’ IAM roadmap. They
include the expansion of its content-aware capabilities through the continued integration of
complementary components. This approach has particular relevance to CA SiteMinder and CA DLP,
which are both being extended so that the sensitivity of the information being accessed can be a factor
in the authorization decision. When considering entitlements and the potential for improper use, it
covers time-of-access issues and the user’s previous use of sensitive information.
IMPLEMENTATION
Average implementation timescales range from pilot projects of around 10 working days to enterprise
deployments of about 240 working days. Each implementation requires the technical services of
systems and database administrators and, potentially, for the enterprise level option, Java
programmers. Business support needs to be provided by HR specialists.
IDENTITY AND ACCESS MANAGEMENT 2011/12
140
CATechnologies offers a range of business support services that can be used to speed up deployment.
Its ‘rapid implementation’ approach – which involves fast start-up, fixed-price, and fixed-project
implementations that cover the most commonly requested IAM functionality – can be used to get IAM
services through to production more quickly. As part of this, CA Technologies offers education,
transition, and support services. CA Technologies also offers solution implementations that provide
more flexibility in scope and scale in order to address unique customer requirements, as well as post-
implementation health checks for product and solution security.
A range of support services is available from CA Technologies, including business-critical support
services, which are provided by CA Technologies’ support team. Business-critical support can be
engaged by raising a problem ticket electronically via the web or via direct telephone contact.
Customers can also search the CA Technologies problem database for resolutions. Typical support
pricing is set at around 20% of the product licensing cost and is in line with industry standards.
Customer training requirements are extremely variable. Most organizations require basic administrative
training with courses based on the products purchased. These can be provided on site, at a local CA
Technologies training facility, or online.
Deployment options include on-premise and hosted, with the former option remaining the most
commonly used. CA Technologies provides consulting, deployment and training services so that its
customers become confident in managing their own environment. For the hosted option, CA
Technologies partners with a number of hosted services providers which manage its solutions from
approved hosted environments.
DEPLOYMENT EXAMPLES
British Telecom
British Telecom (BT) provides networked IT, telecommunications and broadband services to customers
around the globe. To support future growth and ensure that its services remained competitive, BT
needed to build close relationships with its customers and suppliers, and provide secure access to
online resources. To achieve this, the company decided to standardize its identity management services
on a single IAM provider.
After an extensive benchmarking exercise, BT chose CA Technologies, and its technology now forms
the backbone of BT’s reusable authentication capability for staff, suppliers, and customers. CA
Technologies’ technology is used to perform around 36 million authentication transactions per day and
to enable simplified sign-on for all of BT’s user communities.
The solution’s reusable authentication capability has helped BT to save an average of £4.5m per annum
since the operation went live in 2004. It is also said to have enhanced overall customer experience and
to have improved BT’s competitive advantage by reducing its time to market for new applications. BT
has also extended its CA SiteMinder Web Access Manager deployment with identity federation to
enable authorized users to access applications and data hosted by some of the company’s suppliers.
DBS
DBS is one of the largest financial services groups in Asia, with operations in 16 markets, more than
200 branches, and over 1,000 ATMs across 50 cities. The company needs to offer transactional
services to its customers that are fast, convenient, and secure. Previously, it managed identities and
access from within individual applications. DBS decided to implement an IAM platform that was
centralized and could integrate with its existing online systems. The company selected CATechnologies
and its SiteMinder, Identity Manager, and directory services as the basis of its IAM platform.
CA SiteMinder is used to provide two-factor authentication, and to eliminate the company’s previous
security silos. Users now have SSO across their financial applications, which has helped to improve the
overall user experience. CA Identity Manager is used to administer user profiles, track the distribution
of hardware tokens, and allow customer self-service for password resets.
Using CA IAM technology, DBS has achieved the following benefits: two-factor authentication for all
customers; improved customer satisfaction rates through SSO and self-service; reduced risk of fraud
due to improved security; and self-service cost savings.
CHAPTER 7: CA – CA IDENTITY AND ACCESS MANAGEMENT SUITE
141
The Louisiana Rural Hospital Coalition
The Louisiana Rural Hospital Coalition (LRHC) is a state-wide organization that represents 41 small
rural hospitals. LRHC is responsible for finding ways to improve the level of healthcare services
provided to the rural communities that these hospitals support. The problems it faced included the
inability to share hospital records securely, which resulted in Health Insurance Portability and
Accountability Act (HIPAA) compliance issues. After a thorough evaluation project, LRHC selected an
integrated IAM solution from CA that includes SiteMinder, Identity Manager, and Access Control.
CA Identity Manager provides LRHC with a centralized identity administration interface for user
accounts. Additionally, it plans to use Identity Manager to provide self-service password-reset facilities.
CA SiteMinder is used to authenticate users for the LRHC portal and to control access to its hosted
applications. CA Access Control provides authorized administrators with role-based access to the
supporting infrastructure and servers, protects sensitive patient data, and enables security policies that
enforce the segregation of duties, as required by HIPAA.
LRHC recognizes that it has achieved significant benefits through deploying CA Technologies’ IAM
technology, including cost savings due to de-duplication, and the ability to share information between
hospital practitioners, including shared access to patient records that can be accessed in real-time.
Granular authorization to portal applications is also now provided, so that access to these applications
is easier, without giving practitioners too many entitlements.
World headquarters EMEA headquarters
CA Technologies CA Technologies
One CA Plaza Ditton Park, Riding Court Road
Islandia Datchet, Slough, Berkshire
New York 11749 SL3 9LL
USA UK
Tel: +1 (800) 225 5224 Tel: +44 (0)1753 577733
Fax: +1 (631) 342 6800 Fax: +44 (0)1753 825464
www.ca.com
IDENTITY AND ACCESS MANAGEMENT 2011/12
142
Technology Evaluation and Comparison Report
WWW.OVUM.COM
ENTRUST:
Entrust IdentityGuard,
GetAccess, & TransactionGuard
Butler Group
Incorporating
OVUM
CATALYST
The growth in demand by business users and consumers for access to systems and networks from any
available location at any time forces IT administrators to provide unhindered access to the intellectual
property of their organizations, while ensuring that critical data is not compromised. The need to adhere
to compliance and regulatory requirements demands further care and collectively drives the
requirement for identity and access management (IAM) solutions such as Entrust’s products, which
support the effective management of identity, authentication, access, and business and consumer
protection.

Entrust provides a well-rounded IAM solution that focuses on business user and consumer needs
that necessitate the effective management of user identity, risk-based authentication, and fraud
detection.

The product set provides a risk-based strong authentication platform that can be tailored to meet
specific organizational needs.

Fraud protection for consumers is addressed by the TransactionGuard product set.

Core markets focus on two significant verticals: government and financial services. The solution also
caters for other industries using its extensive range of web and enterprise facilities.
KEY FINDINGS
OVUM VIEW
The IAM market is highly competitive, as one would expect from a sector that includes large IAM and
infrastructure providers such as Oracle, Sun, IBM, and CA. In response, Entrust provides an impressive
portfolio of identity-based authentication, access control, and user protection products.
The latest releases of the Entrust IdentityGuard, GetAccess, and TransactionGuard platforms provide
an extensive and integrated range of identity management, risk-based authentication, access control,
and real-time fraud detection facilities. Their strength comes from the company’s all-round ability to
build and deliver an integrated set of identity-driven protection solutions that are relevant to the
everyday business and operational needs of a wide-ranging group of businesses, irrespective of their
size or location.
Entrust
Entrust IdentityGuard, GetAccess, & TransactionGuard
CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD
145
TECHNOLOGY AUDIT
Strengths:
Makes available a wide range of cost-effective, strong authentication facilities.
Fraud prevention facilities are available as a mainstream component of the
product set.
Weaknesses:
Provides a rich and customizable policy platform in its web access control
solution, but GetAccess lags behind in current web services standards support.
Key Facts:
i Does not require additional client software to deliver end-user authentication
services.
i Entered into a merger agreement with Thoma Bravo in July 2009.
By making available a flexible range of single- and multi-factor authentication facilities, Entrust enables
organizations to put in place appropriate authentication facilities that balance operational demands
against business risk and regulatory compliance requirements. Add to this the solution’s enhanced
reporting and auditing capabilities, and Entrust has a well-rounded offering that enables organizations
to build an integrated identity-based approach to the management and control of user access.
Recommendations

The Entrust IAM platform suits large enterprises in that the inherent scalability of the overall solution
enables it to deal with large and growing user communities. Traditionally government, financial
services, healthcare, and telecommunications have proven to be the company’s strongest areas of
success. This is also due to the solution’s regulatory and associated industry control capabilities.

In North America, Entrust’s direct sales force concentrates its efforts on large enterprise
opportunities. While outside North America and for small and medium enterprise (SME) sales, these
are made through partner channels, an area in which sales of its IdentityGuard product set have
enjoyed success.

Organizations typically select Entrust due to the high quality of its integrated product set, and
because of its good reputation for the quality of its customer support and partner services. That the
company has a renewal rate of over 90% supports the fact that its products are based on a good
technology, and it ranks high in terms of thought leadership, introducing market-relevant technology
and understanding business needs.
SOLUTION OVERVIEW
Entrust IdentityGuard, Entrust GetAccess, and Entrust TransactionGuard form the core components of
the company’s IAM technology platform.
IdentityGuard
IdentityGuard is a risk-based authentication platform that includes the ability to deliver multiple levels of
user and server authentication, which can be tailored to meet the risk management requirements of
organizations and their various communities of information users. It uses a stateless architecture to
deliver its services; therefore, load balancing and failover are easily accomplished using redundant
servers.
GetAccess
GetAccess is a web-based, high-performance, functionally scalable web access control solution. Its role
involves the provision of centralized access management to multiple applications using a single portal
approach. The product has the capability to support SSO environments, provide access control to
systems and applications, and control entry down to authorized groups, roles, and individual users. In
addition, it is looking to extend its influence to the federated management requirements of internal and
external access-control relationships.
TransactionGuard
TransactionGuard is a real-time fraud detection solution consisting of three core components: Real
Time Fraud Detection, FraudMart, and the Open Fraud Intelligence Network, which transparently
monitors transactions and uses passive detection techniques to identify fraudulent activity. The
product uses behavioral understanding of transaction patterns and non-invasive fraud notification
methods to deliver its protection services. Its real-time fraud detection identifies “normal” patterns of
behavior via a rule-based approach (which helps reduce false positives) in combination with other
factors such as the user’s location, the time of day, and function usage patterns. All these factors are
individually assessed by user-configured rules, which are used to determine a risk score. Based on
the score attained, TransactionGuard uses application logic to decide what action is appropriate (for
example, to stop a transaction based on potential fraud, or make contact with the customer to discuss
the circumstances).
IDENTITY AND ACCESS MANAGEMENT 2011/12
146
Combining the use of Entrust’s IdentityGuard, GetAccess and TransactionGuard products enables
organizations to leverage full control over who gets access to corporate information, as well as dealing
with customer and citizen access to applications. It then, at a transaction level, takes into account the
risk factors and requirements of all users and systems involved.
It is clear that some identity management solutions make demands on their clients that either do not fit
their individual risk profiles or do not realistically meet their security needs – either under- or over-
delivering on their protection requirements. Entrust’s solution, on the other hand, appears more
pragmatic, offering a more focused approach that ensures that its services and protection products are
able to closely fit the needs of individual customers.
Entrust also provides an extensive range of complementary identity, access control, and user protection
products that can be tailored to meet the needs of organizations and their users. These include:

Entrust Authority, Entrust’s public key infrastructure (PKI) solution, which supports the delivery of
encryption, digital signature and secure authentication services, and is offered as both a self-hosted
solution or as a service.

Entrust Certificate Services are available to secure and increase confidence in an organization’s
website. This is achieved by providing secure sockets layer (SSL) communications between web
browsers and web and application servers, thereby enabling the security management of digital
certificates, including support for Extended Validation (EV) and Unified Communication (UC)
certificates, as well as Code Signing and Adobe Certified Document Service (CDS) certificates to
enable trusted software and digitally signed documents.

Entrust Entelligence Suite, which delivers a portfolio of products that provide organizations with SSL
services across multiple enterprise applications. It includes: Entelligence Security Provider (ESP), a
desktop protection component; a messaging server (the company’s secure email gateway product);
and Group Share, a network folder encryption product. The suite supports strong authentication
techniques, including the use of digital signatures and encryption, and provides PKI protection for
desktop users to securely authenticate their access rights.
CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD
147
Figure 1: Entrust Architecture Source: Entrust

Entrust Secure Transaction Platform, which supports the secure use of web services transactions.
In the web services environment, it provides a range of authentication, authorization, digital
signature, and encryption facilities.

Entrust TruePass is a PKI-based web security product that provides persistent security from the
browser through to the web server, and to back-end application servers when authenticating visitors
to a web portal. It enables users to digitally sign online transactions, and supports persistent data
encryption and digital receipts. Another of its primary roles is to increase confidence in the use of
online transactions.
In partnership with SafeNet, Entrust distributes SafeNet iKey 2032 tokens as Entrust USB tokens, which
provide two-factor authentication to desktops, virtual private networks (VPNs), wireless LANs and web
portals for secure remote and network access. They are also designed to work with Entrust’s PKI
product set. The company provides a range of enterprise-level, encryption-based content protection
facilities to protect information assets as they enter and leave the organization, but is not looking to
provide a full DLP offering.
In its latest version, Entrust has enhanced its range of authentication options by providing organizations
(in partnership with SafeNet) with a multi-purpose secure smartcard. This device is capable of
generating and storing all of a user’s personal credentials, including private keys, passwords, and digital
certificates.
SOLUTION ANALYSIS
Authentication
In addition to the use of the various one-time password (OTP) hardware and software tokens that are
available within the Entrust IdentityGuard solution, the range of authentication methods supported are
extensive. They include:

Grid authentication – plastic or paper cards with unique alphanumeric grids.

Machine authentication – authentication of each user’s preregistered machine at login or during
high-risk transactions.

Mobile authentication – out-of-band authentication enables software-based, one-time-passwords
to be generated on a user’s mobile device, or sent to the device using SMS, email, PDA, voice, or
other supported channels. In addition, Entrust IdentityGuard Mobile provides strong authentication
for online financial transactions, providing users with details of their transaction out-of-band and
generating an OTP on the mobile device based on the transaction details.

Digital certificates – leveraging existing X.509 digital certificates issued from Entrust or a third party
to authenticate users. Certificates can be stored locally or on secure devices like smart cards and
USB tokens. Organizations without an in-house PKI can obtain certificates via the Entrust Managed
Services PKI.

Knowledge-based authentication – an approach that is supported by challenging each user to
answer preregistered questions.

Scratch card authentication – users are supplied with unique OTP lists – each use provides OTP
authentication and is then redundant.

IP geo-location authentication – assesses a user’s identity based on geo-location technology.

Mutual authentication – allows end users to respond to an image and/or text that is unique to them
in order to authenticate the service to the user.
Entrust also supports image and pass-phrase replay, a personalized and responsive approach in which
a user-selected image or phrase is displayed to prove that a site is valid.
Entrust’s use of soft mobile authentication tokens has significantly improved its range of authentication
services, and its out-of-band transaction verification and SMS features are particularly relevant, given
that man-in-the-middle and man-in-the-browser attacks are on the rise. This dynamic approach enables
organizations to use extended and difficult-to-compromise authentication techniques.
IDENTITY AND ACCESS MANAGEMENT 2011/12
148
Enterprise and web SSO
In web environments, Entrust IdentityGuard sits behind existing SSO/access control applications. It
makes third-party authentication checks, effectively challenging the user and returning a pass or fail
assertion to each access request. For enterprise remote access deployments, the product normally sits
alongside an existing remote authentication dial-in user service (RADIUS) server to provide the same
assertion services.
GetAccess provides role- and rule-based service delivery approaches. When used as an integrated
component of an Entrust identity management strategy, it enables web SSO identity profiles to be used
across an organization’s infrastructure and beyond where conformant third-party federated agreements
exist. This level of protected access is delivered through the integrated use of centralized provisioning,
workflow, auditing, reporting, and self-service delivery facilities.
User provisioning and role management
Entrust GetAccess uses policies to enhance role-based access control (RBAC) and to restrict user
access to portal resources based on context-sensitive granular policy controls. It also provides logging
information, which helps organizations track and control user access and policy execution. At the same
time, Entrust IdentityGuard allows administrators to centrally access user and authentication
management functions through its well-laid-out web administration interface. The interface enables
administrators to create and assign authenticators to users, create policies based on groups and roles
as well as across all users, assign temporary pass codes, configure necessary authentication methods
(as per the needs of the organization), and update user status. All of these functions can also be
performed using a web services application programming interface, which supports easy integration
with user identity management and provisioning systems.
Password management
The ability to manage passwords comes as a standard part of the Entrust IAM product set. The offering
provides an open range of password control facilities that can be tuned to meet an organization’s needs.
The Entrust approach allows decisions on required password controls to be taken based on user
access and information needs. Using the IdentityGuard Self-Service Server, the solution allows users
to self-enroll. It also helps administrators to manage their users effectively. This includes activities such
as self-registration (choosing a mutual authentication image, registering for either a grid or token, or
both) and self-administration tasks (unlocking a challenge response token or changing or recovering a
password). GetAccess’s session management service is also used to create, validate, and remove user
sessions and provide session-tracking facilities.
The Entrust IdentityGuard Server is used to capture user activities, which, in turn, expands the
solution’s reporting capabilities. Its workflow capabilities allow customization to take place so that
organizations can configure interlinked commands as per their process needs. For example, this could
involve configuring a series of commands to ensure that appropriate individuals are notified if a
particular user loses their card or token.
Access management
Authentication requests accepted during enrollment or login are managed by the Entrust identification
service. It forwards each request to the authentication and authorization modules or supporting web
service for validation. The systems authentication modules contain specific functionality for each
particular type of authentication request and, if a request is successful, a new session is granted
through the Entrust GetAccess session management service.
Entrust GetAccess delivers a range of services that effectively handle all key access management
requirements. These include runtime services for web servers that intercept incoming requests for
resources, and the GetAccess entitlements service makes use of facilities that determine and control
the resources each user is allowed to access.
Other access management facilities supported within the GetAccess product set include login services,
multi-domain services, and registry services. The system’s authentication and authorization modules
are used to support authentication methods, including user ID and password, Lightweight Directory
Access Protocols (LDAPs), Vasco tokens, X.509 certificates and smartcards, Microsoft .Net services,
plus Entrust-specific and third-party authentication and authorization modules.
CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD
149
FIM
Entrust GetAccess provides SSO and single log-out across multiple applications that can reside in a
single domain, multiple domains, or in domains that are federated through Security Assertion Markup
Language (SAML) 1.x or 2.0. It supports integration with an organization’s web partners and affiliates
to deliver an improved and seamless end-user experience. Using its SAML capabilities, GetAccess
provides identity federation services as both an identity provider and a service provider. GetAccess is
certified for the US government’s eAuthentication initiative, and completed SAML 2.0 conformance
under the Liberty Alliance in 2006 and again in 2009. Because of the product’s attribute sharing
capability, it is possible to validate authentication across federated or bridged PKI environments.
Entrust believes that the market is just starting to recognize the need for fully-featured federation
services and is keen to extend its portfolio to include specific identity federation capabilities in other
products. To achieve this objective, the company will be extending its SAML support to IdentityGuard
during 2010.
PRODUCT STRATEGY
Entrust has set its target market fairly wide for its IdentityGuard and GetAccess solutions. These
products are generally targeted at medium to large enterprises that are looking to make use of a cost-
effective, strong-authentication IAM solution. Additionally, IdentityGuard’s design has also allowed it to
be deployed in SMEs. The one exception to this open-market approach is TransactionGuard, which,
due to the focus of its core fraud detection facilities, is primarily targeted at financial institutions.
Entrust makes great play of its products’ return on investment (ROI) capabilities. For example, Entrust
IdentityGuard’s ROI, compared with other traditional two-factor authentication solutions, is positioned
as a low-cost option, focusing mainly on the use of non-infrastructure-based authentication methods
that are less expensive to acquire, deploy, and manage. The supporting and very credible argument in
favor of this approach is that IdentityGuard gives customers an open choice. Entrust does not mandate
strong or weak authentication; customer organizations can make their own choices based upon
strength, usability, regulatory compliance and risk profile requirements. Other measurable savings
include reduced helpdesk overheads, due to the availability of self-service facilities that result in lower
levels of password reset requests.
Entrust operates a multi-channel go to market strategy that includes direct sales in North America and
sales via strategic partners in Europe and Asia. It also makes use of value-added reseller channels.
IMPLEMENTATION
Entrust positions its implementation approach as low-risk, with minimal impact on the existing
operational systems. In the main, this is due to there being no need to modify a customer’s applications.
Entrust deployments typically involve product installation, configuration, fraud rule tuning, live
deployment and associated operational training. Entrust claims that its IdentityGuard, GetAccess and
TransactionGuard solutions are straightforward to deploy; in particular, it claims that there is no firm
need to use specialist resources to implement the company’s solutions.
For example, Entrust IdentityGuard is positioned as straightforward to install and, in operational use,
leverages and integrates with existing user repositories, such as AD, other LDAPs, or database structures.
Web application integration is accomplished using simple Java calls or direct Simple Object Access
Protocol (SOAP) calls. For front-end integration requirements, such as working with remote access VPN
systems, change requirements are limited to configuration changes within associated RADIUS servers.
However, Entrust also makes available the facilities of its own professional services expertise.
For any IAM vendor, putting an accurate figure on average implementation timescales is difficult, as no
two identity management projects are the same, and customer requirements range from simple to
complex. However, across the board, Entrust products provide good platform support for a decent
range of mainstream servers, web servers and databases. Entrust can provide appropriate training for
all of its products, and detailed documentation is available to back up its efforts. The company provides
24/7 first- and second-line telephone support for its complete product portfolio, and makes available
customer extranet facilities.
IDENTITY AND ACCESS MANAGEMENT 2011/12
150
Entrust is privately owned following the July 2009 decision of its stockholders to approve its merger
agreement with Thoma Bravo. As a result of the increased financial backing that the new relationship
provides, the company’s future points toward growth through appropriate mergers and acquisitions,
which will also help Entrust to remain a focused identity-based security company. Thoma Bravo is a
leading private equity investment firm that has been providing equity and strategic support to
experienced management teams and building growing companies for more than 28 years.
DEPLOYMENT EXAMPLES
Bank of New Zealand
Bank of New Zealand selected Entrust’s IdentityGuard product based on its ease of use and the ability of
the company to brand the grid card that it needed to use, and because of the significantly lower cost per
user that it was able to achieve. Deploying Entrust IdentityGuard enabled Bank of New Zealand to offer
strong authentication to all new consumer banking customers, rather than a just a subset of users. During
the first phase of the project, approximately 25,000 users were deployed within two weeks of the launch. In
less than nine months, the bank issued over 130,000 grid cards, which represented close to half of its
current online population. As a next step in the bank’s campaign against online fraud, it implemented
additional Entrust IdentityGuard capabilities, including device, knowledge-based and mutual authentication.
Banco Santander
NeoSecure SA is the first Latin-America-based Entrust partner to implement and deploy Entrust
IdentityGuard. Based in Chile, NeoSecure was responsible for developing a robust authentication solution
for Banco Santander, based on Entrust’s IdentityGuard technology. This solution has significantly increased
the level of security for the bank’s clients, protecting online users against data breaches and identity fraud
while conducting Internet banking transactions. Use of the IdentityGuard solution is evolving and is now also
being used to support authentication for the organization’s telephone banking operation. These innovative
facilities are being offered by the bank free of charge to their customers.
Xerox
Xerox operates in 160 counties with 53,700 employees worldwide. The company’s previous online
authentication solution made use of expensive, battery-powered tokens for roughly 20,000 members of
its workforce. Its target was to protect four times that number of employees, contractors and business
partners (approximately 80,000 users) with a more seamless and cost-effective solution. The
organization realized that the implementation of strong, two-factor authentication was necessary to
protect its business and users from today’s online threats. It chose the Entrust IdentityGuard grid card
authentication solution because this simple-to-use and cost-effective solution provided a flexible and
low-cost answer that allowed Xerox to meet its extended user protection and cost-saving goals.
DnB NOR
DnB NOR is the largest financial institution in Norway. It is responsible for the protection of more than 1.7
million online consumers and private and corporate banking customers. The organization wished to
implement a seamless fraud detection strategy that would not require invasive integration with its existing
back-end applications. To achieve these objectives, DnB NOR is using Entrust to provide real-time fraud
detection and historical analysis facilities. The use of its fraud protection tools, coupled with critical data from
the Entrust Open Fraud Intelligence Network, is being used to help protect against online transaction fraud.
The real-time protection facilities provided by Entrust also enable DnB Nor to collect data that help the
organization to identify current and future potential fraud threats before they happen.
US Bank
US Bank, a top-five commercial bank in the US, was initially looking to address fraud threats within its
online retail banking application. It implemented Entrust’s TransactionGuard real-time fraud detection
solution to provide visibility to all web interactions with customers. The solution allows the client to
monitor user transactions for fraudulent behavior and perform forensic analysis to determine what
happened in cases of fraud. TransactionGuard also enables the bank to define new fraud rule patterns
for automated detection. The organization quickly expanded its use of the Entrust solution to protect 28
retail and business banking applications without affecting its existing banking applications, and is further
extending its use of the solution to include strong authentication via Entrust IdentityGuard, which will be
triggered by risk levels determined by TransactionGuard.
CHAPTER 7: ENTRUST – ENTRUST IDENTITYGUARD, GETACCESS, & TRANSACTIONGUARD
151
Entrust worldwide headquarters EMEA headquarters
One Lincoln Center Unit 4 Napier Court
5400 LBJ Freeway First Floor, Napier Road
Suite 1340 Reading, Berkshire
Dallas, Texas 75240 RG1 8BW
USA UK
Tel: +1 (972) 728 0447 Tel: +44 (0)118 9533000
Fax: +1 (972) 728 0440 Fax: +44 (0)118 9533001
www.entrust.com
IDENTITY AND ACCESS MANAGEMENT 2011/12
152
Technology Evaluation and Comparison Report
WWW.OVUM.COM
EVIDIAN:
Evidian IAM Suite (version 8)
Butler Group
Incorporating
OVUM
CATALYST
The Evidian IAM Suite consists of a broad range of integrated and modular identity and access
management (IAM) components that enable organizations to employ a controlled and coherent
approach to the management of user identity and access control policies in support of their enterprise
operations.

Evidian IAM is used across all business sectors. Particular focus is currently being placed on
government and healthcare in the public sector, and on specialist trading elements of financial
services operations.

Systems access demands extend beyond corporate boundaries, and information needs to be
shared with business partners. This is a cross-industry solution that provides a pragmatic approach
to federation.

Its key components are: role management, which defines and applies security policies; identity
management, which controls digital identities; and access management, which secures access to
systems and data.

The primary market for the Evidian IAM Suite is medium- to large-enterprise organizations that are
looking for an integrated IAM approach that functions across distributed heterogeneous
infrastructures.
KEY FINDINGS
OVUM VIEW
Evidian IAM Suite (version 8) is a fully featured IAM offering. Its core components cover the key user
and systems control areas of role management, identity management, and access management. Within
the solution, Evidian adopts a workflow-driven, policy-based approach to address how its identity-
centric access control facilities are delivered. It then continues to retain all elements of user and usage
control as the requirement extends to managing federated relationships with business partners.
Evidian
Evidian IAM Suite (version 8)
CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8)
155
TECHNOLOGY AUDIT
Strengths:
A mature product that supports key areas of access, identity, and role
management.
Unifies and maintains control over user access rights, irrespective of location,
while retaining the required levels of control on behalf of the business.
Weaknesses:
Market penetration away from EMEA, particularly into North America, remains
elusive.
Key Facts:
i Operational platforms supported include Windows, Linux, Solaris, and IBM
Advanced Interactive Executive (AIX). HP/UX and z/OS are supported as
provisioning connectors.
The strength of the solution comes from its ability to unify and maintain centralized control over user
access rights, while building automated delivery processes that support ease-of-access for all users, and
retaining the required levels of control on behalf of the business. Central management is supported by the
product’s ability to operate across distributed environments and efficiently deliver local services at source.
To date, many IAM projects have struggled to achieve their aims due to overly complex objectives and
unrealistic goals. Whenever practical, Evidian uses a simple start-up approach that focuses on key
business requirements such as SSO services for the most important user groups, and then switches to
a phased approach that can be extended to deliver enterprise and wider benefits.
Recommendations

Organizations that can gain business advantages from an enterprise or even a global enforcement
policy towards the management of users and their systems’ access rights should consider the
Evidian IAM Suite. It is recommended particularly for those that operate distributed operations or
support the access needs of remote and mobile workers.

To date, Evidian has not provided a solution that addresses the small business market, and this
remains an area where it has little or no presence. However, things are likely to change over the next
two years. The company is preparing a packaged SME approach (for organizations with 500–5,000
users) that will start with the release of its Ready-To-Go SSO edition of access management.

Evidian provides an inclusive set of IAM facilities that have the control and flexibility to address the
needs of a wide range of business organizations. This makes the Evidian IAM Suite the type of user
and business protection product that organizations ought to deploy and retain.
SOLUTION OVERVIEW
Evidian IAM Suite is both an integrated and modular IAM solution. The suite has three core
components: role management, identity management, and access management.
Role management
Role management defines, applies, and manages security policies within the IAM environment. Its
services are aligned with the need for strong business-focused protection processes. Role management
services are delivered using the Evidian Policy Manager and Evidian Approval Workflow products.
Evidian Policy Manager provides a single-console control approach to web and enterprise usage. It
defines and enforces organizational security policies. Policy Manager delivers its services using the
Evidian reconciliation engine to detect and report on differences between an organization’s identity and
access policies and the actual state and access usage of its systems. The product controls the
organization’s IT security policy as it relates to system users, their roles, and their access rights. Using
Evidian Policy Manager, an employee’s usage rights depend on their role within the organization;
therefore, their access permissions relate directly to real-world business roles.
Evidian Approval Workflow automates decision-making chains, from access rights approval to account
creation. It puts in place an organized responsibility chain to deal with the lifecycle management of
identity. Workflow processes are defined through a graphical interface using a web forms feature, and
are equipped with escalation and delegation facilities triggered by predefined control parameters.
IDENTITY AND ACCESS MANAGEMENT 2011/12
156
Identity management
Evidian identity management addresses the creation and maintenance needs of users and their digital
identities. Its services are supported by Evidian’s User Provisioning and ID Synchronization products.
Evidian User Provisioning
Evidian User Provisioning enables administrators to automatically provision user accounts and their
information across distributed and heterogeneous environments. Once usage policies have been
defined, User Provisioning ensures that they are enforced. The product’s automated reconciliation
engine checks policies against what is happening in the live environment and, where necessary, allows
corrective actions to be taken. Integration with the suite’s SSO facilities assists with the identification of
inactive or orphan accounts, and approval workflow is used to automate decision-making chains.
Evidian ID Synchronization
Evidian ID Synchronization creates a sustainable identity repository to store all identity-related data. It
synchronizes and consolidates identity data and uses it to build an organization’s LDAP directories. The
approach is particularly valuable to operations that work across distributed environments with multiple
heterogeneous identity sources, and can also be used to create directories from scratch.
CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8)
157
Policy Manager
Administrator
SIB
Applications
Provisioning process
Reconciliation
process
Requests
Identity
repository
Administrator
End user
Reconciliation
Approval Workflow
User
Provisioning
Figure 1: Evidian Identity and Role
Management Architecture Source: Evidian
Access management
Evidian access management secures access to systems and applications by controlling how users
make their connections. It delivers strong authentication, password management and access auditing
services. The Evidian products involved are Evidian Enterprise SSO, Evidian Web Access Manager,
Evidian SOAAccess Manager, Evidian Access Collector and Evidian Data Privacy.
Evidian Enterprise SSO
Evidian Enterprise SSO is a fully featured and scalable SSO product. Its services operate in conjunction
with complementary security products such as multi-factor authentication tokens, smartcards, USB
keys, biometrics, and certificate-based digital signatures. Self-service enrollment facilities are included.
They are delivered through a browser-based interface that enables authorized users to self-enroll,
amend passwords, and reset existing credentials.
Evidian Web Access Manager
Evidian Web Access Manager is a central access control facility for web applications. It supports the
use of password, RADIUS, token, certificate, smartcard and biometric authentication. The product
enables secure interoperability across federated user communities through its support for SAML-based
identity credentials.
Evidian SOA Access Manager
Evidian SOA Access Manager delivers authentication and authorization services for multi-domain
applications operating in SOA environments. It supports the access needs of users from other domains
of the enterprise and known users from outside of the corporate perimeter, such as external customers
or business partners.
Evidian Access Collector
Evidian Access Collector brings together existing access policies and user accounts. It records and
stores them in an LDAP directory, and uses the data to build a complete operational picture of which
users have access to each of the organization’s systems and which accounts are actively being used
to provide that access.
Evidian Data Privacy
Evidian Data Privacy deals with access protection at file level. It is made up of two separately licensable
components: Evidian Laptop Protection (for the protection of files on a PC) and Evidian File Encryption
(for the protection of files exchanged between groups of users over a network).
IDENTITY AND ACCESS MANAGEMENT 2011/12
158
Security
Middleware
Security Middleware
E-SSO Audit
WAM
Mobile E-SSO
Strong
Authentication
Authenticate and
retrieve policies
Authenticate and
retrieve policies
Perform SSO Perform SSO
Access WG data
Secure
Access
Figure 2: Evidian Access
management Architecture Source: Evidian
SOLUTION ANALYSIS
Authentication
Organizations need to be concerned about the strength and quality of the authentication components
that their IAM suppliers are able to support. Evidian controls how users are allowed to access their
computer systems and data through the use of strong authentication techniques, password
management, and authenticated usage monitoring. It uses authentication methods that are most
appropriate to organizations and their users. This can range from simple passwords, which remain
useful in the right environments, through to OTP tokens, smartcards, and biometrics on corporate PCs
with remote access connectivity and SSO requirements.
Enterprise and web SSO
Clean access and usability are key issues for all system users. Once a user’s credentials have been
accepted and access is allowed, it is important to be able to move between applications without
hindrance, while retaining the right levels of security and access control. Evidian Enterprise SSO
provides mature and scalable SSO facilities with a proven track record. It combines ease-of-use with
the organization’s need to comply with regulatory demands and security policies. Evidian Web Access
Manager delivers the solution’s web SSO capabilities.
Provisioning and role management
Some of the most neglected areas of IAM include elements of provisioning and role management. Poor
management and lax maintenance have led to situations in which organizations have lost control over
their users. Evidian’s user provisioning and role management facilities address these issues by
controlling and automating the delivery of access rights and associated services. Its approach helps
with compliance, as access procedures are formalized and enforced from a single manageable source.
Auditors can also check that the deployed services are effective and appropriate. For the business, the
requirement involves ensuring that users are provisioned with the access facilities they need to fulfill
their operational roles, while restricting access to sensitive data. Evidian ensures that each employee’s
provisioned rights are controlled by their role within the organization, place of work and responsibilities,
so their access matches real-world roles. It also addresses the need for automated de-provisioning
services that match the organization’s access policies.
Password management
Although often talked about as the weakest link of IAM, password management remains a cornerstone
activity. The term covers anything from simple-to-discover fixed passwords through to well-structured,
frequently updated password management infrastructures, which can be fully integrated with other core
IAM components including SSO, role management and associated helpdesk services. Within Evidian
IAM, password management is supported by a relevant and responsive set of facilities that includes
strong password-based authentication techniques. Taking into account the need for good working
practices and to comply with an organization’s security policies, Evidian’s approach to password
management also recognizes the ease-of-access demands of the whole user community. Its business
continuity approach supports always-online user access demands, and even allows users who forget
their authentication tokens to be given temporary and controlled password access.
Access control
Access control manages which systems authorized users can get access to, when that access is
allowed, and what they can do once they are there. For many organizations, one of most complex tasks
is maintaining the right levels of control over their system users. This is an ongoing activity that has to
be properly enforced from the beginning if it is to be effective. Evidian recognizes that a common issue
in IAM projects is the need to efficiently collect existing access policies and user accounts. It speeds up
the collection phase using a combination of its access management and enterprise SSO products. User
access is continuously analyzed and, over an appropriate time frame, Access Collector builds a
complete view of who has access to what systems and which accounts are being used. This information
forms the basis of role-based management and can be deployed. The product’s reconciliation engine
is then available to maintain control over any differences between the policies in place and live usage.
CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8)
159
FIM
As business requirements extend beyond corporate boundaries, the requirement to share information
and maintain control over who has access to that information brings with it the need for FIM. Supply
chain demands for instant information access and business partner and internal inter-departmental
requirements to collaborate on projects all require the sharing of information. Evidian provides facilities
that support interoperability across federated communities. It offers SAML-based identity credentials
and makes use of the product’s access management functionality to support the approach. Evidian also
takes a very pragmatic stance on FIM. It believes there is no need for complex inter-company
integration, and that internal and external projects that require federated collaboration should be
controlled through local arrangements.
PRODUCT STRATEGY
Evidian provides a horizontal IAM offering that is applicable to most markets. The company has an
established presence across many industries, and is particularly strong in EMEA. However, in areas
such as North America, its products are less known. At present, Evidian is focusing its attention on two
areas in particular: government organizations, addressing public sector requirements in general and
healthcare in particular; and working with financial institutions, focusing on the provision of value-added
services, such as authentication management, that meet the needs of trading rooms or remote branch
operations.
In addition to Evidian’s continuing efforts to sustain and grow its core markets (organizations with 5,000-
100,000 users), the company is developing packaged IAM products for the SME community (500-5,000
users). The first offering was launched as a Ready-To-Go SSO edition of access management, and
further packages are expected during 2010 and 2011. Market-focused versions are also being
introduced. An example of this is its IAM suite for healthcare, which will include workflows and
provisioning connectors specific to the healthcare environment. Further industry releases are planned
for retail stores, regional communities, and SMEs.
The company has also seen an increase in demand for global reinforcement and management of user
access controls in the extended enterprise, and recognizes that to achieve these objectives, it needs
fully featured access management facilities. Therefore, it is providing secure web and enterprise SSO
facilities for users of core applications, regardless of their origins, which could include access requests
from diverse sources such as corporate PCs, cyber cafes and personal devices.
ROI is realized through enhanced security, automation, and productivity improvements, which are
enabled through the use of the Evidian IAM suite. A primary ROI driver is helpdesk call rate reduction,
as most helpdesk overheads involve requests for password resets. Evidian provides self-service reset
facilities, substantially reducing the need for helpdesk intervention.
The route to market for Evidian in EMEA is mainly direct or through its parent organization, Bull, for
sales into the public sector or opportunities in Eastern Europe and Africa. The company also makes use
of other partner channels. In North America, it has an OEM agreement with Quest Software, while in
Asia its main OEM partner is NEC Computers. In addition, Microsoft frequently recommends the Evidian
Enterprise Single Sign-On (ESSO) solution in EMEA. Other technology partners include Oracle,
Microsoft, Gemalto, RSA, HID, Precise Biometrics, Upek, AuthenTec, and BIO-key.
Evidian’s product release strategy involves one major release and one minor release per year. Its
licensing is perpetual on a per-user basis. Contract values depend on the number of users as well as
the number of modules within the IAM stack that are being licensed. Typical entry-level projects for a
small SSO project cost about €40,000, with a 70/30 split between software and services. Average-sized
projects, including full access management and dedicated customer deployment, cost around
€400,000, with the same 70/30 split between software and services. The largest projects that deliver
full IAM deployments and have a 50/50 cost split come in at around €1m.
Evidian is a Bull Group company and was established as a corporate subsidiary in July 2000. Bull is an
international group that specializes in designing secure IT infrastructure.
IDENTITY AND ACCESS MANAGEMENT 2011/12
160
IMPLEMENTATION
IAM implementations tend to be highly technical resource-hungry operations. Timescales vary
depending on project complexity and overall requirements. Evidian took these issues on board and
came up with an approach that allows simple SSO deployments to be completed in days, rather than
weeks. Taking in the bigger picture, access management deployments can be completed about 10 days
for a pilot project, 20 days for a 30-user departmental deployment, and around 30 days for a 500-user
enterprise deployment. Typical skills required will include knowledge of directories and applications. For
full IAM projects, the average timescales increase to 20 days for a pilot project, 40 days for a 30-user
departmental deployment and 50 days for a 500-user enterprise deployment. For full IAM deployments,
the required skills are more extensive, covering directory and database skills (provisioning connectors)
and web page design (workflows).
Evidian’s total customer base includes more than 600 organizations, with over 450 using its IAM product
set (77 of which were new additions during 2009). To support all implementation requirements, Evidian
provides:

A range of professional services that cover architecture and deployment approaches.

IAM integration expertise in the key areas of strong authentication techniques, including the
integration and validation of non-standard smartcards and specifications for setting up biometric and
radio-frequency identification (RFID) operations.

Installation skills that cover high-availability set-up and clustering operations, and verification with
selected directory infrastructures.

Testing and performance-setting skills.

Development and integration of customer-specific or third party components and procedures,
including the use of custom migration tools.
A range of on- and off-site training courses are available to cover simple access management training,
as well as training for global IAM projects.
Technical support for the solution is available on three levels. Standard support provides callback within
a four-hour time frame and is charged at 19% of the contract price. Extended support provides callback
within a two-hour time frame and is charged at 28%. Personalized support is designed to fit each
customer organization’s specific needs (charge rates are governed by the specified requirement). Each
offering covers product usage issues, the identification of problems and available solutions, answers to
new problems, supported release issues, and new fixes. Round-the-clock access to the company’s
support website is also available.
Platforms supported include Microsoft Windows, Red Hat Linux, Suse Linux, Sun Solaris (versions 8,
9, and 10), and IBM AIX (versions 5 and 6).
DEPLOYMENT EXAMPLES
A leading energy company with over 110,000 employees and operations in more than 130 countries
selected Evidian Enterprise SSO and Evidian Web Access Manager to simplify and secure its password
management systems and improve access to applications using secure smartcard authentication. The
aim of the project is to improve usability and security through the rigorous engagement of user
identification and strong access controls that link to validated user profiles, audits, and alarms. A further
target is to reduce support costs associated with the management of passwords. Successes achieved
include 24/7 access to IT systems, scalability across international branches from an enterprise-wide
deployment to 70,000 PCs, and improved security that protects access and audit information.
A leading banking services provider with over 3,000 branches and more than 9.5 million individual
customers chose Evidian to provide its Enterprise SSO, Windows and multifactor authentication
services, self-service password reset facilities, kiosk, mobile ESSO, and group reporting services for all
its corporate, retail, and international banking activities. A further innovative “cluster mode” project is
currently in its pilot phase in the company’s trading rooms.
CHAPTER 7: EVIDIAN – EVIDIAN IAM SUITE (VERSION 8)
161
A leading provider of technology solutions to the travel industry selected Evidian’s identity
management, user provisioning and access management products to manage and protect its Intranet
and Extranet applications. It also implemented Evidian Enterprise SSO and Evidian Web Access
Manager. The product set is used by over 8,500 staff across several countries, with Evidian SSO
providing transparent SSO access to all applications. The range of operational systems supported
includes Windows, Web, Unix, Lotus Notes, and IBM mainframes via 5250 and 3270 emulation.
Bull Evidian Bull Evidian
Rue Jean Jaures Concorde House
BP 68 Trinity Park
78340 Les Clayes-sous-Bois Solihull, Birmingham
France B37 7UQ, UK
Tel: +33 (0)1 30 80 70 00 Tel: +44 (0)870 2400040
Fax: +33 (0)1 30 80 73 73 Fax: +44 (0)121 6355691
E-mail: info@evidian.com
www.evidian.com www.evidian.co.uk
IDENTITY AND ACCESS MANAGEMENT 2011/12
162
Technology Evaluation and Comparison Report
WWW.OVUM.COM
HITACHI:
Hitachi-ID Portfolio
Butler Group
Incorporating
OVUM
CATALYST
Identity and access management solutions enable user access rights to corporate systems to be
managed efficiently and securely. Hitachi’s ID portfolio has some important differentiating features:

Hitachi has adopted a practical approach to role and group management that allows these functions
to be used only where they are helpful. It regularly reviews access rights to remove obsolete
entitlements.

Password synchronization enables access to most applications and delivers the productivity benefits
of an SSO product without the complexity of maintaining tables of passwords for each user.

Reduces helpdesk and administrative burden through a good range of self-service features,
including interactive voice interaction.
KEY FINDINGS
OVUM VIEW
The IAM function faces a number of challenges. Most large enterprises have deployed many packaged
and homegrown applications that have their own access management components (with their own role
definition and entitlements), and possibly an overarching provisioning system.
Traditionally, access permissions are managed in a corporate LDAP directory, such as AD. Systems of
Group Policy Objects have become very complex. Most access requests are managed using an ad hoc
system of emails to supervisors and administrators. In the absence of an easily understandable record
of entitlements, an out-of-date and insecure entitlements situation is almost inevitable. Together with the
proliferation of passwords that users have to remember for the applications they use, this leads to the
service desk team being inundated with access requests and password reset requests. Over and
beyond these familiar access management and governance challenges are areas where legacy
technology has been inadequate. One such area is controlling access by users with administrator
privileges. To summarize, the typical IT organization has many IAM challenges to address, and the
problem cannot be ignored because of numerous regulations.
Hitachi
Hitachi-ID Portfolio
CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO
165
TECHNOLOGY AUDIT
Strengths:
The password synchronization approach gives a simple and secure access
management mechanism.
Integrates with a broad spectrum of target applications, platforms and service
desk tools.
Automates the access certification and request management process.
Weaknesses:
Risk-based reporting of existing access rights would have been useful.
Greater focus on defining user groups would be welcome.
Key Facts:
i Provides phone- and kiosk-based self-service password reset options for lock-
out situations.
Predictably, the vendor community has come up with a number of approaches to address these
problems. One of the approaches is SSO, which enables users to access a number of applications
using one set of credentials. Users authenticate to the SSO module, which stores the credentials for all
target applications, and the SSO module authenticates the user to the target applications. A more
recent, and complementary, approach is seen in identity governance solutions that model roles and
assign access rights to these roles for accessing applications (linking the business object “role” with
target application-specific definitions). In addition, they provide workflows that automate access
requests and access certification processes, provide the infrastructure for analyzing the existing access
rights situation, and give risk-based reporting for compliance purposes.
While these approaches go a long way toward addressing access management issues, the technologies
also bring a new set of problems. For example, the role management capabilities within the identity
governance solutions, while very useful, require large upfront investments in time and effort. Every IAM
solution operates using a mix of top-down (role definition based) and bottom-up (access request driven)
mechanisms. Some of the current approaches to rationalizing the access management environment go
further toward top-down strategy than most client organizations find convenient. SSO also requires
considerable initial investment to integrate the platforms and applications that it is required to control.
The Hitachi-ID portfolio offers solutions that are appropriate for most large enterprises. Its password
synchronization technology, together with its ability to integrate with most common enterprise
applications (which enables rapid deployment), enables the user to access most applications with a
single password. In addition, access rights are largely granted through user requests for access and
periodic access reviews. Even the task of building an accurate representation of how the organization
is structured has been shifted, intelligently, to business managers. Hitachi-ID supports a hierarchical
reporting model that can be imported from some human resources tools, and allows other “dotted”
reporting lines to be recorded. Supervisors regularly review their list of subordinates. The main
drawback with this model is that it does not recognize the situation in which employees report to
different managers when performing different roles.
Hitachi also has a realistic view of how the concept of a “role” can be used to define access rights. It
allows roles to be used where several users have similar requirements, but it does not force
administrators to define roles for users who have unique requirements. Some other tools force
administrators into situations where they have to define more roles than they have users. Hitachi,
however, allows a more ad-hoc approach that reduces the effort required to get the identity
management system operative. It also provides an RBAC enforcement engine that identifies
discrepancies between user permissions and their roles (where appropriate).
Ovum believes that Hitachi-ID’s focus on reducing the administrative and helpdesk burden and the
company’s focus on bottom-up IAM reflects the way in which organizations operate.
Recommendations

An organization that has a legacy or homegrown IAM system should consider the Hitachi-ID suite.
Typically, this system would use application-specific links, and paper, email, and service
management platform-based ad hoc processes.

Organizations that need to satisfy regulatory compliance and where access controls are not in
alignment with current accountability requirements should evaluate Hitachi-ID. One particular area
of concern that Hitachi-ID addresses well is privileged access for administrators.

Enterprises that are facing a massive and (usually) forced review of the access management
environment due to a merger or acquisition event would benefit from a solution of this nature.
Typically, such organizations would require an access management solution that supports key
processes such as provisioning, certification, and access request management at a level abstracted
from individual applications and technologies.
IDENTITY AND ACCESS MANAGEMENT 2011/12
166

Identity Manager – this is the core identity management product. It manages profiles (the record of a
user and their access rights entitlements) and propagates these entitlements and any changes to the
components handling provisioning and access management for the target applications. Other important
aspects of identity management, such as automating requests for changes to entitlements and access
rights reporting, are also handled by Identity Manager. Identity Manager uses the organization structure
diagram to refer access requests to the appropriate business manager, rather than directing them to the
IT administrator. Identity Manager also provides compliance-oriented features such as enforcing
segregation of duties rules for both business users and privileged user accounts.

Access Certifier – this product periodically reviews the access rights of all users, and invites
application owners, group owners, and managers to flag inappropriate privileges for de-activation.

Password Manager – synchronizes passwords so that a user has the same password for most of
the corporate applications and systems (generally without agents installed on the target application).
It combines the password rules from all platforms to ensure that the chosen password satisfies them
all. Hitachi-ID can connect to most common enterprise applications, operating systems and network
resources. Changes to any one password can trigger a password synchronization task across all
systems, The Password Manager module also offers self-service management of other credentials
for authentication, such as pre-defined “challenge-response” questions, hardware OTP tokens,
smart cards, biometric samples (principally voice prints), and PKI certificates. The module also
provides self-service password resets and enforces regular password changes through email
reminders and by blocking access to applications until the password is changed.
CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO
167
IVR Server
Load
Balancer
SMTP or
Notes Mail
Helpdesk
Ticketing
System
Authoritative
System of
Record
Password
Synch
Trigger
Systems
Internal
User
Internet
User
Target Systems
with local agent:
OS/390, Unix,
older RSA
Target Systems
with remote agent:
AD, SQL, SAP, Notes, etc.
Target Systems
Firewall
Firewall
Reverse
Web Proxy
Firewall
Firewall
TCP/IP + AES
Various Protocols
Secure Native Protocol
Hitachi ID
Proxy Server(s)
(optional)
Hitachi ID
Application
Server(s)
Figure 1: Hitachi-ID Management
suite network architecture Source: Hitachi-ID
SOLUTION OVERVIEW
The Hitachi IAM portfolio comprises two broad categories of solution, namely the user provisioning and
access management tools, and the password management tools. Figure 1 provides an illustration of
how Hitachi-ID’s solutions work.

Group Manager – enables self service management and more efficient usage of AD groups. All
groups defined within the AD can be modeled with the Group Manager module and the group
managers are defined for each group. Group membership requests, which are typically made when
the user is trying to access shared network folders, are routed through this module to the AD group
owners to review and approve or reject. The Group Manager module is aimed primarily at reducing
the system administrator’s workload by resolving requests in the business context.

Privileged Password Manager – Hitachi-ID eliminates the need for individuals to know the
passwords to privileged accounts on systems and applications. Instead, passwords to privileged IDs
are randomized frequently (for example, every day) and stored in an encrypted and replicated
secure vault. People and software agents have to log in to the managed through Privileged
Password Manager to get connected with administrator rights. Privileged Password Manager will
normally require them to log into it, providing strong authentication. Users can be given continuous
administrator access, or on a once-only basis. Today, Hitachi-ID logs the occurrence of all privileged
sessions but not what is done in each session. The next release will include video recordings of
these sessions.

Login Manager – a program installed on the user’s desktop that auto-populates dialogue boxes and
forms with login IDs and passwords. The Login Manager captures the network login and password
at the start of a user session so that they can be used to log in to other platforms and applications
during the session. This results in fewer login ids and passwords for the user to type.

Org Manager – this module is used to build an organizational chart, with supervisors updating the
list of their direct reports. Dotted line relationships can be documented for horizontal reporting
relationships, but these are not used by the tool. Identity Manager can use these data to determine
who needs to authorize an access request. Access Certifier can use it to assign the task of reviewing
user access rights. All Hitachi-ID products can use these data to route change requests for
authorization and to escalate requests from non-responsive approvers to their managers. .

Telephone Password Manager – addresses a common problem that adds considerably to the
helpdesk team’s and IT administrator’s workload. Users who forget their passwords can reset them
through a telephony-based interactive voice response (IVR) process. The IVR workflow can
authenticate users using questions and answers captured at the time of enrollment, voice print
authentication, or a hardware token. A password reset executed through Telephone Password
Manager is processed by Password Manager, changing the password on one or more applications.
SOLUTION ANALYSIS
Enterprise and web SSO
The Hitachi-ID portfolio includes enterprise SSO (using Login Manager) but not web SSO functionality.
Instead, it provides a single password to multiple applications through a password synchronization
mechanism. The password to the user’s desktop is set as the password for all the applications the user
needs to access that are integrated with Hitachi-ID. A password change for any of the applications
triggers a password change for all other components. Applications have varying password rules in terms
of complexity and size. Hitachi-ID requires the user to give a new password that complies with all of
these rules.
User provisioning and role management
A variety of automated and approval-driven user provisioning mechanisms is provided. Hitachi-ID relies
more on user-requested and supervisor-requested user approaches rather than on formal roles. The
Identity Manager module is the core solution for user provisioning. The module monitors changes to
system records that relate to target applications, and when a change relevant to the user’s role and
entitlement is detected, the information is routed to the target system, triggering an entitlement change.
Such a change may also trigger an approval workflow, possibly subjected to segregation of duties policy
compliance.
Provisioning access to users, changing entitlements and de-provisioning are all supported through
workflows, and requests can be initiated by the users themselves or by supervisors (or others in positions
of authority). The request workflow systems support approval by consensus and escalation procedures.
IDENTITY AND ACCESS MANAGEMENT 2011/12
168
Hitachi-ID sticks to its characteristic bottom-up focus on role definitions. The Hitachi-ID Org Manager
can extract role information (reporting relationships) from existing directories and enterprise
applications, and it enriches and updates this by sending out invitations to managers to update the list
of their direct reports. The manager can identify employees who have left the organization and notify
changes in the reporting structure.
Password management
The password management capability comprises password synchronization, enforcement of password
length and complexity, password history management (regarding rules for re-use), enforcement of
expiration rules (there are about 50 such rules), and self-service password resets. This can be done
from a web browser, from the desktop login screen, or using the telephone with an IVR application. The
self-service password reset process can use strong authentication techniques such as hardware
tokens, biometric authentication and challenge-response, using questions and answers defined at the
time of enrollment. This question/answer system can accommodate inexact matches, down to the level
of “sounds like”. In addition to self-service password resets, Hitachi-ID, through its integration with
helpdesk applications, eases the process of creating a helpdesk ticket, resetting the password, and
closing the helpdesk ticket.
An important aspect of password synchronization is the reconciliation of login IDs. Reconciliation
involves associating multiple login IDs with a single network login ID, and associating this login ID with
a single individual. This is accomplished through a combination of directory look-ups to find login IDs
associated with a user and the client software Login Manager listening in for additional logins. In
addition, a question and answer system configured at the time of enrollment, and validated at the time
of password resets, helps connect a login ID with an individual defined in an organization chart. This
helps address the confusion that arises between employees with the same name.
As mentioned earlier in this report, the portfolio also comprises privileged password management.
Access control
Two important capabilities merit special mention; namely, access certification workflow and network
resource access management. The access certification feature enforces regular reviews of user access
rights by application owners, supervisors and group owners. The network resource access
management feature allows client organizations to model AD groups and assign owners to these
groups. When users request access to shared folders, network drives and email distribution lists, the
request is automatically routed to the group owner, taking a major part of group management off the
service desk team’s plate. In operational terms, when a user requests access to a network resource
and receives an “access denied” message, the user is prompted with information about which group
has access to the resource. The user can then request that they be made a member of the group.
Maturity
The Hitachi-ID unit and the tools in its portfolio have a long history. The unit was founded in 1992, and
the company has an installed base of 800 client organizations and 10 million licensed users. The
company counts some of the largest companies in the world, such as AT&T, as its clients, and has some
of the largest IAM deployment sites. The Identity Manager solution has 3.5 million lines of code and the
Management Suite is currently on version 6.1.2.
Integration and interoperability
The Hitachi-ID suite integrates with an impressive series of enterprise applications, operating systems,
directories, messaging systems, server platforms and service desk/helpdesk systems. Some of these
solutions are AD and eDirectory (and any other LDAP directory), Linux, Solaris, HP-UX and IBM
products, ranging from Resource Access Control Facility (RACF) and AIX to Lotus Notes, Oracle
databases and applications, PeopleSoft, SAP R/3 and Business Objects, and MS Exchange. Hitachi-ID
can work with an unknown application, such as a homegrown application using custom scripts
developed using an included scripting program. There are a number of approaches for providing
custom integrations (Hitachi-ID provides custom integration at fixed prices) including APIs (J2EE, .NET,
COM, ActiveX, MQ Series), terminal emulation, web services, command line and Structured Query
Language (SQL) injections.
CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO
169
PRODUCT STRATEGY
Hitachi’s target market is not limited to particular vertical sectors. The Hitachi-ID portfolio is aimed at
companies with over 10,000 employees, and the installed base ranges from 300 to 350,000 internal
users and up to 10 million external users. Client organizations are typically companies in the Fortune
2000 range and non-profit and government agencies of a similar scale. In terms of the geographical
distribution of clients, North America accounts for 80% of the installed base, while Europe and the rest
of the world account for 15% and 5%, respectively. Hitachi has a direct presence in the US market, while
in other geographies, the company works through partners. The company targets global organizations
through its managed services provider (MSP) partners. For all market segments, Hitachi partners with
systems integrators as well. The list of MSP and systems integration (SI) partners includes CSC,
Capgemini, CompuCom, Dell, HP Enterprise Services (formerly EDS), Hitachi JoHo (Japan), IBM
Global Services, Northrop Grumman, Perot Systems, Siemens Business Services, T-Systems, Wipro,
and Xerox. Hitachi-ID has 43 consultants of its own around the world, while it also works with Hitachi
Consulting, and partners with KPMG.
Hitachi-ID products are licensed by a number of users (but not named users), and the Privileged
Password Manager is licensed by the number of administrator IDs. In terms of average deal sizes, the
following list shows a few representative deals:

Password Manager – 10,000 users; $140,000 in deal size; 85% license, 15% services; password
synchronization, assisted lockouts, and mobile users.

Password Manager and Identity Manager – 10,000 users; $500,000 in project value; 55% license
and 45% services; auto-on boarding and deactivation, self-service user profile updates and access
change requests.

Privileged Password Manager – 3,000 managed IDs; $75,000 in project value; 50% license and
50% services.
Support is priced at 20% of the licensing costs, and the maintenance package includes 17 hours per
day (3am to 8pm, Eastern Time) and five days a week technical support via email, phone and VPN.
Upgrades are bundled into the support package. In addition, client organizations can get access to 24/7
emergency support for an extra 5% of licensing costs.
The release cycle comprises a maintenance release every one to three months, a minor upgrade (such
as a graphical user interface (GUI) change) every six to eight months, and a major release every 18 to
24 months.
Hitachi-ID believes that growth will be driven by new technologies and trends (such as full disk
encryption, smart cards and mobile workers) that are likely to increase the volume of password
management issues. The company reports that privileged password management has been a growth
area in the recent past, with every major customer implementing the technology.
The Hitachi-ID roadmap is comprehensive, and a number of interesting features are in the pipeline. The
list of medium- and long-term development plans includes a workflow to create new and delete
unnecessary groups, periodic certification of role definitions, a workflow that asks managers to identify
clusters of direct reports who perform a similar job function, and the ability to add attributes such as risk
scores to target applications. Major improvements are also on the cards for the privileged password
management module, such as full session recording (currently only the entry and exit time are
recorded). Hitachi is working to bolster its role management capability, and enhance its password
management module.
IMPLEMENTATION
As would be expected for an identity management suite, implementation requires significant resources, but
Hitachi has simplified the task; for example, by removing the requirement for a comprehensive role model.
The following list details a few representative implementation cases and their resource requirements:

Password Manager to reset and synchronize passwords across 10 systems for 50,000 users: 20 billable
days and eight weeks of elapsed time, 0.5 resources for one to two months, and 0.25 ongoing.
IDENTITY AND ACCESS MANAGEMENT 2011/12
170

Identity Manager to auto-provision and auto-deactivate users on AD, Exchange, RACF and one or
two enterprise applications, based on an HR data feed across 100 locations, 50 departments and
50,000 users: 60 billable days, 16 weeks of elapsed time, and one resource for six months, and 0.5
ongoing.

Privileged Password Manager to randomize and control disclosure of privileged passwords across
1,000 Unix, Linux, Windows and Oracle servers and 10,000 workstations: 20 billable days and six
weeks of elapsed time; one resource for three months, and 0.5 resource ongoing.

Group Manager to push management of membership in AD groups out of the realm of IT support
and into the self-service regime across one global AD domain, 10,000 users, 5,000 groups, 500 file
servers, and 2,000 shares: 15 billable days and four weeks of elapsed time, one resource for
between one and two months, and 0.25 ongoing.

Access Certifier to invite managers to periodically review a list of their subordinates and their access
rights, and flag old entitlements for cleanup across one AD domain, one SAP production system and
one RACF production system. No roles were defined, organizational chart data were available but
incomplete and inaccurate; 10,000 users/1,000 managers: 60 billable days and 20 weeks of elapsed
time; one resource for six months, and 0.75 ongoing
Hitachi-ID runs on Windows Server 2003 and 2008. The products in the Hitachi-ID portfolio integrate
with a wide range of systems and applications. CA SiteMinder, IBM Tivoli IAM, Oracle AM, RSAAccess
Manager in the web SSO category, SAP, Oracle and Business Objects in the enterprise applications
and business intelligence category, and z/OS and iSeries are some of the applications and platforms
that have not already been mentioned in this Technology Audit.
DEPLOYMENT EXAMPLES
ATCO
ATCO (a construction and industrial conglomerate) deployed Hitachi-ID products for auto-provisioning,
auto-deprovisioning, security group management, entitlement cleanup, password synchronization and
password resets for about 11,000 users. The project spanned multiple phases beginning with password
management, and moved onto a staged implementation of consolidated security administration,
automation for on-boarding and deactivating users, and a self-service workflow for profile updates and
entitlement change requests. The entire project took about a year.
Wells Fargo
Wells Fargo bank implemented self-service password resets and routine password management for
about 350,000 users, involving access to AD, many target applications, and login screens. The project
took less than three months, and according to Hitachi-ID, reduced IT support costs by $4m.
Intel
Intel implemented privileged password management for 3,000 production systems (Windows, Linux,
VMware and SQL). The project took two to three weeks and the client organization successfully
implemented automated access rights changes resulting from systems administrator staff turnover.
Hitachi-ID Systems, Inc.
500, 1401 – 1st Street SE
Calgary, Alberta
Canada, T2G 2J3
Tel: +1 (403) 233 0740
Fax: +1 (972) 767 4404
Email: www.hitachi-id.com
CHAPTER 7: HITACHI – HITACHI-ID PORTFOLIO
171
Technology Evaluation and Comparison Report
WWW.OVUM.COM
IBM:
IBM Tivoli Identity and Access
Management Products
Butler Group
Incorporating
OVUM
CATALYST
IBM is a major player in the identity and access management (IAM) field, marketing its products under
the Tivoli brand. The products’ main strengths are their breadth of functionality and the close integration
of IBM security and service-management products. Going forward, users can be confident of support
for extending IAM controls into the cloud. The products can be deployed individually or as a suite, but
users adopting all or most of the suite will benefit most. IBM applies some of the benefits of the robust
mainframe environment to the open systems environment. The products benefit from IBM’s strong
position in the system-management domain.

There is close integration of IBM’s security products across IAM, security information and event
monitoring (SIEM), and DLP domains.

Mainframe users are supported with an integrated suite of products.
KEY FINDINGS
OVUM VIEW
Through its Tivoli division, IBM has a long presence in the identity management sector, and has equally
well-established credentials in systems management. More recently, IBM has acquired several IT
security vendors, including ISS, and specialist vendors, such as Consul Risk Management, Watchfire,
Encentuate, Ounce Labs, Guardium and BigFix. IBM therefore has an impressive range of security
technologies and managed services to match its historical strengths in security consulting. In its high-
level vision, it has been able to address the inherent synergy between security management, systems
management, governance and compliance in a way that the more specialist vendors have not.
However, this level of integration is not always evident at the product-implementation level.
Within the IAM sector, IBM provides comprehensive functionality addressing all the “bases” across the
map of required functionality. The global enterprise trend towards the rationalization of IT suppliers
works to the advantage of the large IT infrastructure vendors. IBM is the most prominent player in
enterprise IT and has the most to gain from this rationalization. It has assembled a range of products
across the security range of products to put it in a position to benefit from this movement.
IBM
IBM Tivoli Identity and Access Management Products
CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS
175
TECHNOLOGY AUDIT
Strengths:
Strong compliance-reporting features.
A broad suite of products providing comprehensive functionality.
Closed feedback loop for monitoring and acting on access and policy usage.
Weaknesses:
IBM is still in the process of integrating some of its acquisitions.
Key Facts:
i Supports a wide range of standards.
i Policies can be tested using “what-if” simulation exercises across all products.
Recommendations

Organizations with heterogeneous computing platforms, including mainframes – the breadth
of capabilities and functionality in the IBM suite of products make it an attractive and natural choice
for these organizations.

Organizations that have a strategic vision for integrated IAM – these organizations will find
IBM’s strategic Service Management Platform approach helpful for meeting security and IT
governance objectives.

Other organizations with more than 500 employees – the choice of identity management suite is
not so clear-cut for this group of organizations, and they should examine the detailed functions and
features of the candidate products. Ease of deployment should take precedence over the product
price, because identity and access management systems need to be configured to their operating
environment and integrated with the business applications they control. IBM Tivoli Identity Manager,
IBM Tivoli Federated Identity Manager Business Gateway, and IBM Tivoli Access Manager for ESSO
are suitable choices for the SME sector.
SOLUTION OVERVIEW
IBM places IAM within its IBM Security Framework, which itself forms part of the IBM Service
Management Platform that addresses the need for visibility, control, and automation across enterprise
IT platforms. It addresses security governance, risk management and compliance across the realms of
people, information, applications, processes, IT infrastructure and physical infrastructure. Within this
overall scope, identity management addresses requirements relating to people and identity, as well as
applications and processes.
IBM has simplified its portfolio to deliver integrated capabilities, as described in the IBM Security
Framework, into consumable packages or bundles. The IBM Security Framework, along with the IBM
security products and packages, are shown in Figure 1. One of the key bundles is the Identity and Access
Assurance bundle, which contains the foundational IAM products to help on-board and off-board users.
IDENTITY AND ACCESS MANAGEMENT 2011/12
176
IBM Security Solutions Packages Include
Identity Manager
Security Policy Manager
zSecure Admin
Directory Server
Key Lifecycle Manager
zSecure Audit
Directory Integrator
Access Manager for Operating Systems
zSecure Command Verifier
Federated Identity Manager
Federated Identity Manager
Security Info. & Event Manager for z/OS Auditing
Access Manager for eBusiness
Security Information and Event Manager
Access Manager for Enterprise SSO
Access Manager for Operating Systems
Security Information and Event Manager
Identity
and
Access
Assurance
Data and
Application
Security
Security
Management
for z/OS
IBM Security Framework
SECURITY GOVERNANCE, RISK
MANAGEMENT AND COMPLIANCE
PEOPLE AND IDENTITY
DATAAND INFORMATION
APPLICATION AND PROCESS
NETWORK, SERVER & END POINT
PHYSICAL INFRASTRUCTURE
Common Policy, Event Handling and Reporting
Managed
Services
Hardware
& Software
Professional
Services
Figure 1: IBM Security Framework and products Source: IBM
IBM’s Identity and Access Management Governance portfolio (see Figure 2) provides policy-driven
governance to streamline and strengthen security for the foundational IBM IAM capabilities. It
comprises:

Planning the policy and role-modeling framework – this provides tools for role-modeling and
management, and the support of policy design.

Tracking – this involves the monitoring of user activity. IBM Tivoli Security Information and Event
Manager provides unified reporting and auditing, feedback about policies and roles, and compliance
reporting.

Enforcing through identity, access and entitlement management – IBM Tivoli Identity Manager,
IBM Tivoli Privileged Identity Manager Service, IBM Tivoli Access Manager for e-business and IBM
Tivoli Security Policy Manager provide access certification, remediation of user access rights,
privileged identity management, coarse-grained access and fine-grained, context-based, entitlement
enforcement.
CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS
177
IBM’s IAM Governance Portfolio in 2010
Planning
Policy and Role Modeling
Role Modeling Assistant
Policy Design Tool
IBM Tivoli Security Information
and Event Manager
IBM Tivoli Identity Manager
IBM Tivoli Privileged Identity
Manager Service
IBM Tivoli Security Policy Manager
IBM Tivoli Access Manager for
eBusiness
IBM Tivoli Federated Identity Manager
Policy
Driven
Governance
Process
Integration
User Activity Monitoring
Identity Management
Access & Entitlement
Management
Tracking
Enforcing
Figure 2: IBM’s IAM Governance
Portfolio Source: IBM
These products and services are supported by some foundation products, so the IAM suite is larger
than the components shown in Figure 2.
The main products in the IAM area are:

IBM Tivoli Directory Server (TDS), a scalable, standards-based identity data repository that
interoperates with a broad range of operating systems and applications. This directory server is
included within IBM IAM solutions to support large scale deployments.

IBM Tivoli Directory Integrator (TDI), which can serve as a meta-directory or data-integration tool,
synchronizing or transforming identity information and other security information in real time across
relevant organizational sources. This directory integrator solution is included within IBM’s IAM
solutions to support integration in a heterogeneous IT environment.

IBM Tivoli Identity Manager (TIM), which provides identity management and provisioning relating to
many types of logical assets (for example, databases and applications), network infrastructure (for
example, Cisco ACS), and access-control systems, including those that are card-operated for
building access. It enables integration with a broad range of heterogeneous systems across multiple
types of platform. TIM has been improved with usability and interface enhancements to help with
rapid deployment and operation, making the solution more accessible and adoptable by the SME
market.

IBM Tivoli Access Manager for Operating Systems (TAMOS) handles authentication and
authorization and controls administrator (root user) access to Linux and Unix systems.

IBM Tivoli Access Manager for Enterprise Single Sign-On (TAMESSO) provides desktop SSO for
enterprise applications (usually termed Enterprise SSO), built-in integration with numerous strong
authentication form factors, and many common applications (as well as extensibility to further
applications via a drag and drop visual profiling interface), and session management for shared
desktops.

IBM Tivoli Access Manager for e-business (TAMeb), which provides a reverse-proxy-based
authentication and authorization hub manages, and enforces user access to applications hosted on
the web. It is primarily focused on web-based applications SSO and provides out-of-the-box
integration for Web 2.0 applications and web services. It can be implemented in varying forms, from
simple web SSO to more complex application security infrastructure deployments.

IBM Tivoli Federated Identity Manager (TFIM) provides the framework to support standards-based,
federated identity interactions between partners, with capabilities in the areas of federated web
SSO, web services security management, and federated provisioning. It comes with TAMeb for full-
featured, standards-based web access management systems, and has been enhanced with more
support for user-centric federation deployments using SAML and OpenID attributes. It is designed
to simplify trust-based identity integration across Java, .NET, and mainframe applications and
services.

IBM Tivoli Federated Identity Manager Business Gateway (TFIM BG), which provides federated
access SSO using SAML protocols. It integrates with existing on-premise application and web
access management systems to control access to cloud software as a service (SaaS) and third party
external applications.

IBM Tivoli Privileged Identity Management service, which handles the lifecycle management of
shared accounts and SSO for privileged IDs across systems and applications. It is a service based
on TIM and TAMESSO. It ties administrator accounts to pools of authorized users, and provides
SSO with the administrator credentials into the user session when the user needs to access
privileged resources, while enforcing check in and check out of these credentials to maintain
individual accountability.

IBM Tivoli Security Policy Manager (TSPM), which provides entitlements and message security
policy management for composite applications and services, centrally managed roles relating to
applications, message protection policies and data-level access entitlements. It comes with security
run-time services for standards-based policy decision integration with the existing IT and application
environment, and provides out-of-the-box policy enforcement integration for WebSphere Portal,
Microsoft SharePoint, WebSphere, Application Server, .NET, Filenet, and DB2 applications.

IBM Tivoli Security Information and Event Manager (TSIEM), which provides the reporting and
auditing capabilities relating to the operation of the identity management infrastructure. TSIEM
closes the loop for IAM by monitoring the usage of the configured policies, identifying violations for
remediation, and reporting for compliance purposes.

IBM Tivoli zSecure Suite, which delivers audit and administrative capabilities for mainframe security,
including management of user credentials, access rights, monitoring and compliance. It is also a
foundation of IBM’s Enterprise Security Hub and integrates with mainframe security protocols such
as RACF, and with the mainframe editions of other IBM security products such as TIM for z/OS and
TFIM for z/OS.
IDENTITY AND ACCESS MANAGEMENT 2011/12
178
Tivoli offers mainframe versions of several IAM products. These are TIM, TAMeb, TFIM running on
zLinux, TIM for z/OS, TFIM for z/OS, TDS for z/OS and TDI for z/OS. Tivoli zSecure Admin enhances
user management in the mainframe domain, including z/OS, z/VM and Unix System Services.
SOLUTION ANALYSIS
Authentication
The Tivoli suite provides comprehensive coverage for strong authentication. Web authentication is
handled by TAMeb and TFIM, while desktop authentication is handled by TAMESSO.
TAMeb provides facilities to allow multiple levels and custom authentication mechanisms to be added
to those it already supports. Authentication assertions can be communicated over hypertext transfer
protocol (HTTP), which makes it easier for organizations to integrate with external authentication
services. A limited-use license for TDI is included with TAMeb, providing options such as directory-
chaining for user authentication. A session management facility enables user sessions to be tracked
across enforcement points. This provides administrative benefits, such as a single point from which to
report on and manage user sessions, and the easier enablement of policy enforcement, which traverses
any routes the user might have taken to access resources.
TAMESSO supports smart cards, biometrics, and passive and active RFID cards. An interface for open
authentication devices simplifies integration with other authentication devices that may not be
supported out of the box.
Enterprise and web SSO
The IBM Tivoli Unified Single Sign On solution addresses the access needs of enterprises inside,
outside and between organizations. It comprises three parts:

Enterprise SSO performed by TAMESSO.

Web SSO performed by TAMeb.

Federated SSO performed by TFIM.
IBM’s enterprise SSO capability is based on its acquisition of Encentuate in March 2008. It provides
connections to common enterprise applications. There is also a help wizard with a drag-and-drop user
interface to auto-generate SSO support for other enterprise applications. It can be integrated with
several strong authentication products. It provides centralized auditing and reporting of user access to
the applications under its control across the enterprise.
TAMeb provides a single view of user access across a broad set of business applications, ranging from
email to enterprise resource planning (ERP) systems. It seamlessly integrates into a Microsoft .NET
infrastructure and works with AD. It minimizes the changes to the .NET applications that are required
to allow them to participate in web SSO. There is some anti-fraud support provided in the browser to
support web application security. A bundling with Tivoli Common Reporting provides built-in report
authoring, report distribution and report scheduling capabilities. It also offers configurable admin
domains, improved session management services and support for non-standard IP load-balancers.
TFIM extends TAMeb to support federation standards such as SAML to easily federate access to other
compatible systems. The chapter on FIM gives more detail about this product.
User provisioning
IBM TIM provides a group management capability to streamline user administration, as well as a role-
hierarchy model to simplify user provisioning and improve the visibility of user access permissions that
have been granted. Operational role management is now a fundamental embedded capability in TIM.
An individual can have multiple roles, users can inherit roles and they can be given ad hoc additional
privileges outside of the role structure. TIM can prevent and detect conflicts between role and
permission allocations. Roles can be imported from a directory. TIM’s access certification capability
allows organizations to automate the periodic recertification of user, account, and role access to comply
with policy.
CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS
179
IBM’s Role Modeling Assistant tool is provided to assist in the building of roles. It works in both top-down
and bottom-up modes. The bottom-up mechanism imports existing identity, role and entitlement data,
while the top-down mechanism imports interview data. These are analyzed and compared to produce
a set of roles for approval, editing and certification. The final definitions can then be exported into TIM.
Password management
TIM provides self-service capabilities for password resetting and synchronization across platforms and
applications. TAMESSO also handles password management from the desktop and integrates
seamlessly with TIM.
FIM
TFIM has been improved to make it more user-centric. A large number of users can be enrolled into the
TAMeb LDAP using FIM, from which they can be authenticated to all the applications they need to
access. FIM also gives users a choice of identity selectors, such as the Higgins Framework and
Microsoft CardSpace, to support user-asserted identity, instead of the traditional enterprise issued
identities. It supports both SAML and OpenID attributes, and works with all generations of SAML,
Kerberos, and RACF PassTicket tokens. It is designed to integrate with Java, .NET and mainframe
applications. The Kerberos token module extends integration into the .NET environment. It reports into
Tivoli Compliance Insight Manager.
IBM’s federation mechanism also gives access to internal and external services including SaaS,
platform as a service (PaaS) and infrastructure as a service (IaaS) cloud services. It can supply these
services with SAML tokens, OpenID user IDs, and passwords as required.
Privileged identity management
The Tivoli Privileged Identity Management solution comprises TIM and TAMESSO. TIM provides the
lifecycle management of shared and privileged IDs, from provisioning, through access request and
approval workflow support to access recertification and de-provisioning. TAMESSO facilitates
administrators who need access to a system with shared or privileged IDs by automatically checking
out a shared ID, providing single sign on, and automatically checking in the ID for reuse on application
log out. This automatic check in and check out not only simplifies usage and automates compliance,
but also improves security as the administrators no longer need to know the passwords to these
privileged IDs.
Administration and policy management
TSIEM monitors user activity via a dashboard view including privileged user activity on databases,
applications, servers and mainframes. TSIEM manages logs to produce compliance reports and issue
alerts about possible policy violations. It can collect information from thousands of event sources and is
now available on a Windows 64-bit platform to enhance its scalability. Its interface is available in Chinese,
Japanese, Korean, French, German, Italian, Spanish, Polish, Hungarian, Russian and English.
TAMeb, TAMOS and TFIM provide common administration management that allows authentication
policies to be defined and administered in a delegated hierarchical fashion. It provides out-of-the-box
integration for enterprise applications, Web 2.0 and web services use. It works across data centers.
TSPM provides a centralized security policy management interface to author and transform security
policies for message security and fine-grained entitlements. It deals with policies formulated in business
terms, such as specifying a manager’s authorization limit for transactions without the need to involve IT
professionals, or use business services carrying personally identifiable information that needs to be
encrypted and signed. These security policies are expressed using roles, rules and attributes that a
business understands before being transformed into effective policies and communicated with the
enforcement points using Extensible Access Control Markup Language (XACML) and WS-
SecurityPolicy. It provides out-of-the-box policy enforcement integration with WebSphere Portal,
Microsoft SharePoint, WebSphere Application Server, .NET, Filenet, and DB2 applications. It also
enables SOA governance with integration into WebSphere Service Repository, WebSphere DataPower
SOAAppliances, WebSphere Message Broker, and third-party enterprise service buses (ESBs).
IDENTITY AND ACCESS MANAGEMENT 2011/12
180
A standalone Eclipse-based policy design tool is offered to help application architects model
entitlements using roles and simulate ‘what if’ scenarios, including checking for potential “separation of
duties” violations, before creating policy templates for use in deployment.
IBM TIM provides reports of user access rights to assist with auditing.
TSIEM monitors for privileged-user activity. The combination of SIEM with IAM provides visibility,
auditor-centered reporting and a closed-loop compliance lifecycle.
PRODUCT STRATEGY
IAM is an integral part of IBM’s governance and security product set. In particular, it allows web
application security, XML security, network security and the DLP product to discriminate between
different users with different information access rights. It uses the SIEM products to provide audit and
alerting requirements.
Identity and access management products are typically used by larger organizations. However, IBM
takes its products to companies in the 500–1,000 employees range, with its improvements in usability
and ease of deployment. It offers bundles of IAM and related products, including companies at the
smaller end of the spectrum.
IBM has more than 4,000 IAM customers and some robust service capabilities.
IMPLEMENTATION
TDS is built on the DB2 database engine to deliver high performance, but DB2 expertise is not required
to deploy it. TDS is an Open Group LDAP v3 certified directory, and adheres to industry standards to
maximize application support. It has a number of features that increase administrator usability. For
example, search results can be sorted and viewed as “pages”, and groups can be nested or “dynamic”,
where changes in a defined variable can automatically update the group profile. TDI is for organizations
that require integration of identity data from various repositories throughout the organization, and it
incorporates virtual directory capabilities. TDI can implement very large complex integrations supporting
hundreds of simultaneous synchronizations with enterprise-strength fault tolerance. The product has a
development environment in which a drag-and-drop GUI allows for the customer definition of integration
requirements.
In some customer deployments, TIM supports a user base of more than 1.5 million across thousands
of managed systems. TIM provides a wide range of identity management features, including:

Web-based self-service interfaces with customizable look and feel for end users (for example,
password reset and synchronization), which have been extended to include request and approval
for users’ membership of roles.

A role-based administration model for the delegation of administrative privileges, with preventive
checks for the separation of duty violations and exceptions.

A workflow engine for automated submission and approval of user requests.

A provisioning engine to automate the implementation of administrative requests.

Policy simulation allowing the modeling of security policy changes, including what-if scenarios, and
the reporting of issues such as conflicting roles so that these can be resolved.

Business-friendly revalidation (sometimes called access certification or attestation) of granular user
access rights.

Administration management features such as streamlined notification, bulk “to-do” items
management, and task ownership and delegation.

Broad out-of-the-box integration support for disparate applications and systems, and universal
connectors for extending the management model to new and custom environments.

Predefined reports on security policy, access rights, and audit events.
CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS
181
TIM is a J2EE application that provides an extensive range of APIs to provide extensibility and uses
IBM standard middleware as a basis for scalability, performance, and reliability. TDI is used as the basis
for adapters and connectors that manage user accounts on the systems managed by TIM. Most
adapters operate either without remote management or are locally controlled, and all communication
across platforms is secured using SSL protocols. Policies can be configured in TIM using a script based
on JavaScript, and can be made subject to a preview of their impact. Drag-and-drop workflow
definitions in TIM allow integration with other applications and workflow technology.
IBM’s acquisition of Encentuate provided desktop SSO for enterprise applications, enabling the end-
user experience to be simpler by eliminating the need to recall multiple usernames and passwords. It
can also improve security by reducing poor end-user password behavior, and by providing easier
adoption of strong authentication form factors such as smart cards or biometrics, for which it provides
out-of-the-box integration.
TAMeb manages web application security and enforces access control audit policy through
enforcement points that can be placed as a reverse proxy in front of web applications, or through
authorization and authentication plug-ins directly into a web server or application server environment.
It can support over 100 million users and securing thousands of applications. It can also be used to
control wired and wireless access based on identity to applications and data. It integrates with web
applications and servers to provide seamless access to applications and data across the extended
enterprise, and to transactions with citizens, partners, customers, suppliers and employees.
The user’s browser-based request for a resource is dealt with by a resource manager component of
TAMeb called WebSEAL, a reverse proxy that is resident on the web server and responsible for applying
security policy to resources. This policy enforcer component directs the request to the authorization
service for evaluation and, based on the result, allows or denies access to the protected resources.
Access Manager authorization decisions are transferred using the TAM credential, which contains a user
ID, its group memberships, and selected user attributes. The resource manager also integrates with
security token services to implement standards-based identity integration into back-end applications.
TFIM manages a large number of external users’ access to an organization’s portal and application
assets using existing identities (such as username) and federated identity formats (such as OpenID and
information card selectors, like Microsoft Windows CardSpace), without having to manage these
identities within the organization. There is extended integration with Microsoft .NET environments
through a Kerberos token module, and with mainframe environments through RACF PassTicket token-
based access. It also provides implementations of the SAML, Liberty Identity Federation Framework
(ID-FF), WS-Federation, WS-Provisioning, and WS-Trust specifications for federated SSO and web
services identity mediation. A single TFIM deployment can act in different roles concurrently; for
example, identity provider and service provider. In the web services security space, TFIM provides a
secure token service (STS), as defined by the WS-Trust specification, as well as several modules for
invoking the STS from IBM’s WebSphere Application Server, third-party ESBs and WebSphere
DataPower SOA appliances. WS-Trust provides security token validation and mediation, user identity
mapping, and partner key management services to web service endpoints that implement the WS-
Security standard. The federated provisioning components of TFIM provide an implementation of the
WS-Provisioning specification. TFIM is a J2EE application architected using a services model that runs
on IBM’s WebSphere Application Server and also leverages TDS and Tivoli Access Manager for user
authentication, session management and access enforcement.
IBM’s Identity Management products use TSIEM as a common integration point for auditing and
logging. TSIEM is also used in a similar way by other products to provide a broader audit and
compliance perspective.
Tivoli zSecure Suite is the centerpiece of a number of identity- and security-related capabilities that
serve mainframe users. These include IBM Tivoli zSecure Admin and IBM Tivoli zSecure Visual, both
of which enable complex mainframe security mechanisms to be administered more easily than by using
native management systems. IBM provides editions of many of its identity management products that
connect to the mainframe (TFIM, TDS and TDI can run on z/OS or zLinux, while TIM and TAMeb can
run on zLinux), allowing central administrators to connect to the mainframe for routine enterprise-wide
administration.
IDENTITY AND ACCESS MANAGEMENT 2011/12
182
Customer implementations typically rely on a mix of home-grown expertise and services resources from
either systems integrators or IBM. General knowledge of installing middleware, and expertise around
security or audit and compliance is helpful in tailoring implementations to specific needs.
Implementation times vary widely because of the different types of environment and complexity levels,
but solution deployments typically take a number of months. As policy definition takes up a significant
portion of the time spent on deployment, customers with an already-defined security policy will usually
benefit from reduced timescales for their implementation program.
IBM offers training in various delivery formats on all of the products, as well as an extensive range of
online resources such as datasheets, product documentation and Redbooks.
DEPLOYMENT EXAMPLES
Public sector broadcaster
Alarge public service broadcaster wanted to centralize its security management and services to replace
a legacy identity management system and enable SOA. It adopted TSPM, TIM, TFIM (including TAMeb)
and Tivoli Compliance Insight Manager. The out-of-the-box provisioning and access management
integration support of the IBM products, along with standards-based support for SOA environments,
were important factors in the customer’s decision.
Global electrical equipment company
A worldwide electrical equipment company with 5,000 employees wanted to improve its user access
and authorization management to satisfy compliance requirements. It particularly wanted to deactivate
access for former employees and for business partners that no longer worked for it. It deployed IBM
IAM (managed identity service), Tivoli Unified Single Sign-on (comprising enterprise, web and federated
SSO) and TIM. This provided a bundled solution for SSO, federation and access provisioning. IBM’s
services support was crucial to its winning the deal, because it was able to offer a fully managed
environment including design, implementation and ongoing management support. IBM charged a fixed
monthly amount for managing changing identity needs.
Fortune 100 company
A Fortune 100 company operating in 30 countries with more than 7,000 systems and one million user
accounts was experiencing difficulty in maintaining its user access rights, particularly deactivating the
accounts of users whose employment had been terminated. It had thousands of “orphaned” service
accounts with no documented authorization, and had no centralized view of user entitlements. Its costs
were high because it required 40 full-time equivalent staff to perform provisioning manually. It deployed
IBM IAM (managed identity service) and TIM. This provided a centralized view and ongoing certification
of entitlement data, it eliminated orphaned accounts, and significantly decreased operational support
costs for user provisioning and helpdesk calls relating to password resets.
IBM North America IBM (United Kingdom) Ltd.
590 Madison Avenue P.O. Box 41
New York North Harbour
NY 10022 Portsmouth, PO6 3AU
USA UK
Tel: +1 (800) 426 4968 Tel: +44 (0)1475 898073
Email: askibm@vnet.ibm.com Email: ibm_crc@uk.ibm.com
www.ibm.com/tivoli
CHAPTER 7: IBM – IBM TIVOLI IDENTITY AND ACCESS MANAGEMENT PRODUCTS
183
Technology Evaluation and Comparison Report
WWW.OVUM.COM
MICROSOFT:
Microsoft Forefront Identity
Manager 2010 and Associated
Products
Butler Group
Incorporating
OVUM
CATALYST
Microsoft is a mainstream competitor in the identity and access management (IAM) space. Microsoft
has a distinctive profile, and has significantly enhanced its offerings under the Forefront brand with
Forefront Identity Manager (FIM) 2010 and its associated products, which build upon the foundation
provided by AD and Microsoft’s thought leadership in the conceptual area of online identity. The offering
is tightly integrated with key elements of the Microsoft infrastructure such as Outlook and SharePoint,
allowing administrative work in areas such as user-group definition to be leveraged. With its portfolio of
IAM products, Microsoft has strong capabilities in areas such as integrating internal and external
identities, and extending corporate identity infrastructure into cloud services and partner networks.

Microsoft promotes identity management as an extension of the Windows and Office environment.

The architecture of the suite is unique. While most of the expected identity management functionality
exists within the Microsoft portfolio, it is not where users who are familiar with competing products
would expect to find it.
KEY FINDINGS
OVUM VIEW
While no identity management system deployment can be categorized as cheap or easy, organizations
that are Windows-centric will find FIM 2010 and its associated products to be an attractive option.
Microsoft’s approach builds on tools that the organization already uses and configuration data that exist
in the corporate AD. The recent advances in FIM show Microsoft’s commitment to identity management,
while its moves to embrace industry standards and its visionary work on the Identity Ecosystem show
that it has awareness of wider business needs beyond the Microsoft ecosystem.
Microsoft
Microsoft Forefront Identity Manager 2010 and Associated
Products
CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS
187
TECHNOLOGY AUDIT
Strengths:
Microsoft’s view of identity management embraces services on the Internet.
Many components of the portfolio are available through ubiquitous Microsoft
products such as Windows, Office, .NET, AD or Office.
Microsoft supports application developers in delivering access management.
Weaknesses:
This offering requires an environment that is predominantly built on Microsoft
products.
Key Facts:
i Microsoft now embraces all major standards in IAM.
Recommendations

Organizations with a commitment to Microsoft in the data center will find the company’s offerings a
natural progression into IAM.

Organizations that have concerns about maintaining strong access controls as they move into the
cloud will be reassured by the level of investment that Microsoft has made in meeting this
requirement.

Organizations that need to enroll large numbers of external (non-employee) users into their IAM
system will find that Microsoft’s perspective resonates with their requirements.
SOLUTION OVERVIEW
Microsoft offers integrated identity management across heterogeneous systems and groups, including
IT professionals, end users and developers. Its offering is characterized by its deep integration with
familiar Microsoft products; for example, it uses AD as its foundation, and provides user-self-service
capabilities through the Office and SharePoint interfaces. It also uses workflow that is embedded in
existing products such as the Outlook client.
Microsoft’s complete IAM offering is delivered through the following products and services:

Forefront Identity Manager (FIM) 2010.

Windows Server AD Federation Services (AD FS) 2.0

Windows Identity Foundation (on .NET 3.5).

Windows Azure AppFabric Access Control 1.0.

Forefront Unified Access Gateway (UAG) 2010.

Windows Server AD Domain Services (AD DS) and AD Lightweight Directory Services (AD LDS)
2008 R2.

Windows Server AD Certificate Services.

CardSpace 1.0.
Microsoft’s approach to identity management is built on the concepts of its Identity Metasystem, which
is formulated to provide an “identity layer” that is missing from the Internet. “Claims” are transmitted as
digitally signed tokens, conveying one or more of the subject’s identifiable attributes, asserted by the
person or organization that has signed the token. When logging in to a business system, the required
claims would typically be the name and affiliation of the user. The tokens could use the Kerberos or
SAML formats, which are transmitted using the WS-* protocols.
The relationship between the components is shown in the architecture diagram in Figure 1.
Windows Server AD provides the Identity Management Platform, which enables the integration of the
various aspects of IAM.
FIM provides a web service API and facilities for delegation, workflow and connectors. It lets users
create workflows that model business processes, and then attach them to requests. A compliance
auditor can use this workflow as documentation of the approval process. Workflows that are built on
Windows Workflow Foundation can be used in FIM. New activities, including approval and notification,
can be defined on Windows Workflow Foundation within Microsoft Visual Studio. The FIM API also
provides extensible activities, workflow and schema. FIM can be accessed through several clients,
including an Internet portal and Outlook.
Microsoft’s customers benefit from having an identity management infrastructure that reuses the
familiar products and interfaces in their existing Windows and Office products. Kerberos can be used
to synchronize identity information across environments, and also across partner organizations. The AD
account is used directly for log-in to Windows computers, to authenticate sign-in to Microsoft
applications, and to provide SSO to other platforms and applications that support Kerberos, certificates
or LDAP bind for user authentication. FIM allows users to reset their passwords from a locked
workstation through a self-service dialogue.
IDENTITY AND ACCESS MANAGEMENT 2011/12
188
Microsoft has started to build a range of cloud identity infrastructure services and components. Azure
AppFabric Access Control helps organizations to build federated authorization into their applications
and services, without the complicated programming usually required to implement application control
beyond corporate boundaries. The service provides applications with a front-end that performs the
authentication and claims transformation, and interacts with the application using the WS-Trust and
Open Authentication (OATH) protocols. The application then has only to process the claims in these
messages.
CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS
189
Figure 1: Microsoft Identity and
the Cloud Source: Microsoft
SOLUTION ANALYSIS
Authentication technology
Microsoft’s FIM manages the lifecycle of passwords and certificate-based credentials such as smart
cards. It also distributes soft OTPs for credential enrollment.
The company has also developed CardSpace, which as well as being a secure technology for
authenticating personal identity on the Internet, can also be used in the corporate identity management
field. It is useful for providing access to the systems of partner organizations, and could be used for
employee access, particularly from remote locations. It allows users to assert claims relating to their
identity that are backed-up by an identity provider with a recognized level of assurance. CardSpace
provides the identity selector interface. In the corporate context, their employer could provide them with
such an identity, which would by definition provide the same level of assurance as an internal identity
in the corporate directory. In the same way that it could be used within the organization that issued it,
the identity could be used to authenticate the user to a business partner. It is implemented as a .NET
component of the Windows client or Server operating systems, and is hardened against spoofing or
tampering. The client’s user interface can also be secured with two-factor authentication if required.
Enterprise and web SSO
Active Directory Federation Services (ADFS) 2.0 provides easy access to applications both on-premise and
in the cloud using a claims-based infrastructure. It provides an SSO experience for end-users looking to
access applications in the enterprise, in the cloud, and in partner organizations. It is based on industry-
standard protocols including WS-* and SAML, and enables heterogeneous applications to interoperate.
ADFS federates with ADFS in other organizations, as well as with platforms from other vendors.
User provisioning
User provisioning is based on FIM Set management, which controls provisioning to connected Microsoft
systems, as well as to third party systems. Groups are managed in AD (the authoritative corporate source
of identity information) and visualized through Outlook and SharePoint.
While FIM does not extend AD’s core functionality, it provides services to synchronize identities between
AD and other identity sources, databases and systems, including those on non-Microsoft platforms.
FIM can provision PKI certificates, and OTP systems. It works with Microsoft’s Certificate Authority and
third-party CAs to deliver certificates for users. It can also issue soft OTPs for credential issuance.
Password management
FIM adheres to the password policy that is enforced by AD. It provides a self-service password reset facility
based on personal information that the user chooses to provide for this purpose when they initially register
with it (users select a range of personal questions that they want to use from a menu, and register the
answers to these). Before resetting their password, the user has to supply correct answers to a subset of
these questions that FIM selects at random.
Access control
UAG provides comprehensive and secure access to corporate resources for employees, partners and
vendors, using both managed and unmanaged PCs and mobile devices. It connects devices to the
corporate infrastructure using a range of protocols ranging from SSL VPN to Direct Access. UAG provides
centralized management of the enterprise’s anywhere-access offering, using built-in configurations and
policies. It monitors the “state of health” of the end-user devices and, using the identity of the end user and
information about the application that they are trying to access, it is able to enforce granular access controls.
Windows Identity Foundation is a component of .NET that provides the infrastructure for the identity and
access control products. It is a developer framework for building claims-aware applications.
Windows Server ADs underpin the operation of the products by maintaining policy and identity information.
FIM
AD FS 2.0 helps collaboration across organizations. It is fully integrated with AD authentication services and
can use any information held in AD for the purposes of issuing tokens. Azure’s AppFabric Access Control
service enables more flexible and extensible identity federation between services to be established. AD FS
federates to both other AD FS and all the major third party environments.
Administration and policy management
FIM manages identity-based policies across Windows and heterogeneous environments. It provides self-
service capabilities for Office end users, administrative tools and enhanced automation for IT professionals,
and .NET- and WS-*-based extensibility for developers. Administrators can enforce adherence to
centralized access management policies for applications.
PRODUCT STRATEGY
Microsoft is alert to the needs of organizations, and so is providing a unified approach across resources
located in the enterprise and in the cloud. It is working to make it easier for organizations to move into the
cloud and to use hybrid configurations. This strategy is based on its FIM technology. FIM can already
provision and synchronize on-premise directories and cloud services, and Microsoft will expand this range
of capabilities and add new cloud services following the model of Azure AppFabric Access Control.
IDENTITY AND ACCESS MANAGEMENT 2011/12
190
Microsoft’s general long-term objectives are to empower business owners and information workers to
be the decision makers in the identity and access field, to advance capabilities for managing identity
and access for hosted IT services and hybrid scenarios, and to support compliance and the need for
end-to-end identity management. Microsoft is investing heavily in standards and interoperability.
The products described in this report have replaced Microsoft’s Internet Access Gateway, Identity
Lifecycle Manager, and earlier versions of products with the same names.
MARKET OPPORTUNITY
Microsoft’s integration of enterprise and web access controls is consistent with its long-established
culture of embracing the Internet, and places it in a good position for developing its identity
management market. It will also benefit as identity management adoption moves down into more
medium-sized businesses, where Microsoft is in a strong position.
GO TO MARKET STRATEGY
Microsoft sells to all market sectors, to all types and sizes of organization, and in all geographic regions.
It also uses all types of partner channel to reach its customers, and has educated, certified and trained
thousands of partners in using its Identity and Access (IDA) solutions. Microsoft works mainly through
value-added resellers to reach the smallest companies (those with less than 50 employees), while its
own direct sales organization focuses on the mid-market and enterprise sectors.
FIM is most likely to be adopted by organizations with a strong process-oriented culture, with most FIM
deployments in organizations of at least 500 employees.
Its primary global system integrator partners are Avanade, Accenture, HP (EDS), Wipro, Unisys, Oxford
Computing, Quest, Globeteam, Securitay, and Microsoft Services.
FIM deployments require a significant services input. This is in line with other IAM projects, as
integration between the business and the technology is the crucial requirement for success.
The diversity of the Microsoft Identity Management portfolio’s component parts is reflected in their
different sales models:

FIM and Forefront UAG are sold with perpetual licenses on a “per user” and “per server” basis.

AD FS and AD Domain Services and AD CS are part of Windows Server 2008.

CardSpace is part of Windows Client.

AppFabric Access Control, a software-as-a-service offering that is part of Azure, is sold by
transaction.

Windows Identity Foundation is part of .NET and is available as a free download.
IMPLEMENTATION
FIM requires Windows Server 2008 on a 64-bit platform, SQL Server and .NET.
Management agents and connectors link to remote systems on Linux, Unix and mainframe platforms,
and APIs are provided for communication with application databases on these platforms. Microsoft
provides 19 of these agents out-of-the-box for Microsoft (such as Exchange or SQL Server) and non-
Microsoft (such as Lotus, Oracle or SAP) environments, while its partners provide other connectors.
These use various protocols, including LDAP. Where no other form of interconnection is possible, the
connectors simply export a text file. Partners such as Identity Forge provide connectors for RACF, ACF2
and Top Secret mainframe services, which synchronize identities across platforms but do not share
authentication or provide SSO.
Microsoft is adopting a services-based approach to access control for external services. FIM currently
works with hosted SharePoint and hosted Exchange services, while ADFS and Live can federate to
Azure. In future private clouds with Azure, clients and Microsoft applications will be covered, as it will
be able to communicate with other applications that support OATH and SAML protocols.
CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS
191
The Azure AppFabric Access Control services can link to cloud services using non-Microsoft technology
such as Amazon or the Gmail identity service. ADFS can also authenticate directly to Salesforce.com
and other services, but has to be configured for each service individually. Organizations wanting more
general integration with external services are better advised to use AppFabric Access Control Service,
as this provides many-to-many integration.
DEPLOYMENT EXAMPLES
Microsoft IT
Microsoft IT provides application development resources and technical support to Microsoft’s 90,000
employees worldwide. It promotes employee productivity and collaboration, while maintaining the
highest level of information security. Microsoft IT has deployed FIM 2010 to streamline identity
management, save costs, and improve user productivity.
Microsoft IT is a large organization, with 208,000 user accounts, 472,000 security and distribution
groups and 2,300 distinct corporate applications. It faces increasing requirements for system
interoperability and compliance complexity, as well as pressure to be more efficient. Before moving to
FIM 2010, it adopted a bespoke group management application to support centralized group policy
authoring and provide limited self-service for group management. However, this was costly to maintain,
and did not meet the needs of users. Microsoft wanted a better solution, as well as to remove the heavy
workload of handling password reset requests manually.
Microsoft IT had also deployed the company’s Identity Lifecycle Manager 2007 product from its
inception, but decided to upgrade to FIM and extend its coverage to include the additional requirements
it faced. It worked with the product development team for FIM 2010, specifying development priorities
and enabling rigorous field testing of the product in a production environment. The joint target was to
migrate 50,000 users and 75,000 groups to FIM 2010 by January 2010. During the transition process,
while the old and new infrastructures were running in parallel, Microsoft IT used AD Domain Services
to create separate organizational units for the two applications and to define a discrete set of
permissions for each. This allowed employees to view groups in both applications, while applying
changes to only one location. Employees are now able to reset their own passwords and provision their
own smart cards, although Microsoft IT recognizes that it will not be able to handle all such requests
automatically; for example, when an employee forgets their registered answers to the challenge-
response questions.
Microsoft IT is using the extensibility of FIM 2010 to customize it to Microsoft’s unique business rules.
It has suggested the following guidelines to enterprises deploying the software:

Define business rules and requirements before beginning the upgrade.

Determine the best approach to migrating groups: phased or simultaneous.

Start with a pilot deployment.

Minimize re-synchronization of the rule base between new and old systems (if applicable) by
configuring rule changes ahead of the deployment.
Microsoft IT has experienced substantial savings and efficiency improvements due to the automated
password reset capability, and simplified compliance reporting through the centralized policy-based
management. It can now audit all identities, credentials and resources, along with business rules and
events, from a centralized repository.
Scott Wilson
Scott Wilson is a global construction company that provides strategic consultancy and professional
services. It is headquartered in the UK, but has 80 locations around the world and 6,000 employees. It
wanted to unify its IT systems and make all of its key IT services available to employees through its
intranet portal. While previously it had separate AD services for its UK and international operations, the
company wanted to improve its user provisioning process.
IDENTITY AND ACCESS MANAGEMENT 2011/12
192
Scott Wilson engaged the Oxford Computer Group, a Microsoft-Gold-certified partner, to handle the
implementation of Microsoft FIM 2010. It started by integrating the UK human resources and finance
systems, the corporate portal and the two AD systems. This allowed users to be enrolled just once,
instead of three times, and provided a single and accurate view of employee identities and access rights
across the business. The next phase of the project is to introduce workflows to automate routine
provisioning and resource management tasks globally. Users will be able to set up accounts and reset
passwords themselves, saving money and giving faster access to services. The system will be
integrated with Microsoft Outlook 2010 to send an automated email message to a line manager so that
they can authorize or reject provisioning requests with a single click. Scott Wilson is already benefitting
from reduced help desk costs, and from reduced waiting times for employees needing access to
resources.
Microsoft Corporation Microsoft Limited
One Microsoft Way Thames Valley Park
Redmond Reading
WA 98052-6399 RG6 1WG
USA UK
Tel: +1 (800) 642 7676 Tel: +44 (0)844 8002400
Email: via Microsoft Support website Email: via Microsoft Support website
www.microsoft.com www.microsoft.com/uk
CHAPTER 7: MICROSOFT – MICROSOFT FOREFRONT IDENTITY MANAGER 2010 AND ASSOCIATED PRODUCTS
193
Technology Evaluation and Comparison Report
WWW.OVUM.COM
NOVELL:
Novell Identity Manager 4
Advanced Edition
Butler Group
Incorporating
OVUM
CATALYST
Good people, effective processes and efficient performance are the core components required to
achieve strong operational results. However, in isolation, they are not enough, and organizations
increasingly require intelligent management systems to maintain control over who can access their
systems and information resources across enterprise, virtual, and cloud-based environments. Effective
identity management is the key to organizing access, and solutions such as Novell Identity Manager 4
Advanced Edition are needed to control enterprise access, reduce the risk of exposing sensitive data,
and helping to maintain compliance.

This is an enterprise-class identity and access management (IAM) product that has the scalability
and high availability required to deal with large, complex and diverse operating environments.

Novell’s approach of bringing together IAM and compliance to provide a foundation for enterprise IT
governance, risk, and compliance (GRC) is a strategy that will find favor across most industry verticals.

The requirement for organizations to manage identity and user access across physical, virtual, and
cloud environments is fully addressed by Identity Manager 4.
KEY FINDINGS
OVUM VIEW
The latest release of Novell Identity Manager (r4) uses identity to deliver intelligent user authentication
and access control, user protection, and compliance across physical, virtual, and cloud environments.
Intelligent, Cloud-ready and secure is the message that Novell is promoting. In Ovum’s opinion the
focus on delivering identity-management services that are able to operate across mixed environments
is well timed, and bringing together IAM and enterprise compliance is a good strategy.
The simplification of identity management is another key message that Novell is keen to promote. It
makes the valid point that some of the company’s major competitors still struggle to deliver integrated
SSO, provisioning and role management because of the disconnected nature of the IAM tools that they
have acquired and have to work with. By contrast, Novell Identity Manager has been built as a
homegrown configuration-centric product that eliminates most external coding requirements.
Novell
Novell Identity Manager 4 Advanced Edition
CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION
197
TECHNOLOGY AUDIT
Strengths:
Allows organizations to be open and agile without compromising security or control.
Integrates and automates secure access for customers, partners and employees.
Maintains past and present visibility of people, their actions and company
compliance.
Weaknesses:
The Advanced Edition separates sophisticated operational usage from the more
basic Standard Edition demands, but does allow customers the right to be
selective.
Key Facts:
i An enterprise solution that supports policy-driven access control to applications
from data center operations to the cloud.
Included with the product set are tools such as Novell Designer, which allows customers to connect
enterprise systems and configure workflows into the live environment using a business-focused drag-
and-drop interface. The drag-and-drop approach also extends to provisioning and role-mapping for
third-party roles and permissions to create a consolidated roles database.
In the immediate future, the IAM sector is unlikely to get away from its perceived position of being over-
complex and providing technology that organizations only deploy across areas of the business where
cost and complexity overheads can be fully justified. Novell is working hard to reduce total cost,
complexity, and management effort, and is succeeding on a number of levels. That notwithstanding,
each new technology wave adds extra user protection requirements, and Novell’s enterprise-level
product-development efforts will need to be sustained if it is to maintain its position.
Recommendations

Organizations that are looking to protect enterprise, virtual, and cloud operations would benefit from
considering Novell’s cloud and enterprise-ready IAM offering.

Novell IAM caters for all market sectors. Its products have particular relevance to highly regulated
industries such as financial services and healthcare. These are also areas where the IAM need is
likely to strengthen as stronger GRC requirements are introduced.

For company size, Novell’s market is medium-to-large enterprise (5,000 or more employees).
Smaller organizations in specific highly regulated industries can also benefit, but generally the SME
sector is not a target.
SOLUTION OVERVIEW
Novell Identity Manager is an established and mature IAM product set. All major product components
were built in-house by Novell developers and are fully integrated to the extent that the complete solution
works seamlessly alongside enterprise business systems to protect user and operational access.
IDENTITY AND ACCESS MANAGEMENT 2011/12
198
Mobile Webtop
Your Portal/
Web Services/
Custom
Business
Managers
CISO Compliance/
Auditor
Employees
Customers/
Partners/
Contractors
Developers and
Consultants
Key Functional Capabilities
Major Components
Applications
Directories
OS and
File Systems
Help Desk
Telephone and
Building Access
Databases
Cloud and SaaS
Credentialing
White Pages/
Self-Service/
Pwd Mgmt
Business
Resource
Request
Approval Work-
flow
Role-based
User Mgmt/
Deleg Admin
Advanced
Reporting
and Metrics
Role and
Policy
Mapping
Compliance
Content
Real-time Data
Integrity
RBAC
Model
Identity
Vault
Work-flow
System
Historical
Reporting
Warehouse
Open APIs Deployment
and Mgmt
Tools
Connectors
Figure 1: Novell Identity Manager – A logical
view of Novell’s event-based approach to IAM Source: Novell
Identity Manager 4 Advanced Edition supports all the core elements of identity management including
directory management, provisioning, role management, SSO, password management and
authentication. It also provides the opportunity to integrate with complementary Novell products such
as Novell Access Manager for web and enterprise access management and Novell Sentinel for SIEM,
regulatory compliance, and analytical and audit-level reporting.
What differentiates Novell from most of its competitors is its event-based architecture. This
differentiation carries over into the latest Identity Manager 4 release, which is based on an event-driven
automated data-integration engine. This means that even in large enterprise organizations with
thousands of users and distributed applications, and with constant changes that can be triggered by a
single event, real-time provisioning ensures the immediate propagation of role changes throughout the
organization, thereby maintaining accuracy and supporting compliance.
Many of the company’s 5,000 or so IAM customers run integrated and sophisticated business
operations. They rely on Novell to tightly control who has access to their data systems, when that
access is allowed, and what data usage rights that access gives. In line with the issues that Novell
customers have highlighted as being important to them, the company has maintained, and in some
cases added, new facilities to the Advanced Edition of its latest release. These include:

Real-time identity synchronization and password management (also in the Standard Edition).

Rules, roles, and workflow-based optimal provisioning.

Integrated policy management for business rules and workflow.

Provisioning to SaaS applications such as Google Apps and Salesforce.com (also in the Standard
Edition).

Reporting on user access at the present time (also in the Standard Edition).

Extended reporting on historic user access using activity reports.

Atool for integrating permissions (for various siloed applications) to enterprise roles without the need
for coding.
The new Advanced Edition facilities are mainly targeted at enterprise operations where business and
IT have developed identity management requirements that are sophisticated in their event-based
process demands and extensive in their reporting requirements.
An example of this would be an enterprise model where access controls are linked to compliance
requirements, and provisioning services are controlled by business roles and their permissions, and a
constantly up-to-date directory infrastructure.
Within the Novell IAM model, administrators take responsibility for role management and mapping so
that provisioning and de-provisioning services have a direct connection to business roles. This
approach also helps to ensure that new starters’ access rights are added based on their role in the
organization, and leavers can be accurately and completely removed based on their known access
rights. Novell’s role-mapping administrator facility uses a drag-and-drop interface to map third-party
roles and permissions to Novell Identity Manager. It uses this approach to create a consolidated
governing roles database where policy management is made simpler through the use of pre-built hot-
pluggable policy packages that are set up to meet customer and industry requirements.
Reporting facilities within Identity Manager 4 have also been extended to include facilities that store a
complete range of history records that can be used to provide audit-level information on current and
previous usage patterns when building user-activity reports.
The overall product set provides a scalable, bi-directional, open platform, and data and event-driven
solution. It enables Novell to significantly reduce the complexity of provisioning workflow and role-based
access control to satisfy the complex and in-depth identity management requirements of its customers.
To support cloud-level deployments, Novell Identity Manager 4 provides enterprise-class administration
and scalability, as well as greater connectivity to SaaS-based applications. By ensuring that there is no
single point of failure, Novell delivers a highly scalable high-availability IAM product set.
CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION
199
SOLUTION ANALYSIS
Authentication
Novell SecureLogin provides client-based authentication and SSO services. The technology originates
from ActivIdentity, with Novell acquiring the rights to the code in 2009, which is unusual because it is the
only component of the Novell Identity Manager product set that was not developed in-house. Novell does
provide a number of integrated value-added facilities, including its scalable and fault-tolerant identity-vault
application for storing user-authentication credentials, a strong authentication framework for certificate,
smartcard, token and biometric management, and a common auditing and administration framework.
This component of the Novell Identity Management product set consists of multiple integrated security
systems that provide authentication and SSO to networks and applications. It delivers a single point of
entry to corporate resources, and is delivered using the organization’s chosen authentication security
controls, all of which can be aligned with corporate regulatory compliance and security policy
requirements. A key advantage of combining core-user authentication and SSO services comes from
the ability to eliminate the need for multiple passwords.
Enterprise and web SSO
The delivery of enterprise SSO forms a core component of the Novell SecureLogin solution. Web SSO
is delivered using a proxy-based approach as a component of Novell Access Manager, and provides
web SSO, web access management, and identity federation facilities. It includes standard and strong
authentication, authorization and personalization facilities, and can also utilize data-encryption facilities
to ensure that data are properly protected. Novell Web Access Management features strong federation
capabilities, which help when organizations are looking to move to cloud-based services, and also
addresses a number of challenges for SharePoint users.
The product provides simplified yet secure access to resources for customers, citizens, business partners,
and employees. Importantly, it also delivers native support for Microsoft AD and Oracle/Sun directory
servers, which enables the product to be deployed in any standard identity management environment.
IDENTITY AND ACCESS MANAGEMENT 2011/12
200
Identity Manager Approval
Workflow Engine
Access Manager
Events triggering
Workflow
Workflow triggering
Events
Active Workflow
Repository
Remediation
Triggers
Event
Collection
Other
Directory Email
Database
Application
Identity Manager
Data Integration Engines
Replicated
Identity Vault
Publisher and Subscriber
Change Events
Sentinel
Figure 2: Novell Identity Manager – A logical
view of Novell’s event-based approach to IAM Source: Novell
Provisioning and role management
Novell prides itself on being one of the few IAM vendors to have developed its own integrated identity
management solution in-house rather than via acquisition. This includes all directory services, user-
provisioning, role-management, and access management components.
Novell also provides configuration-centric provisioning and role-management technology that virtually
eliminates the need for additional coding. Using Novell Designer, an eclipse-based product, allows
business analysts to connect enterprise systems and configure workflows using a non-technical drag-
and-drop interface. Completed configurations can be deployed directly into production environments.
Its role-mapping administrator tool operates using the same business-focused approach for mapping
third-party roles and permissions to Novell Identity Manager roles, to create a consolidated
infrastructure.
Provisioning and role management is delivered using browser-based web application facilities. They
provide a business-focused approach to the provisioning environment while exposing workflow-based
provisioning services, delegated administration facilities and end-user self-service tasks. The facilities
allow users to reset passwords, request access to systems or applications, claim and approve or deny
pending actions, and navigate the company’s organizational chart. In Ovum’s opinion, the overall
approach provides a simplified event-based method of provisioning and role management that reduces
the complexity of provisioning workflow and role-based access control.
Password management
In the Novell IAM product set, password-management facilities are used to support the enforcement of
centralized password policies, to generate and distribute new passwords, and to automate the detection
of and response to password change events. Novell password management supports various types of
password approaches, including traditional password and prompt facilities, challenge and response
approaches, self-service password-recovery and reset services, and integration with Novell SSO
facilities.
User dashboards are available to provide a web environment for user self-service. They support a
workflow-based approach to requests for access to password provisioning resources and role
management. Dashboards are also used to maintain user profiles and to access white pages,
organizational chart information and associated password management functions.
Access control
Access controls within Novell Identity Manager reduce the risk of exposing sensitive data to
unauthorized personnel by using control facilities that are intended to ensure that only authorized users
are allowed access. In addition, through the provisioning of appropriate role-based entitlements to
connected systems, Novell Identity Manager facilitates the consistent enforcement of these access
controls throughout the environment. The product’s advanced reporting and monitoring facilities provide
information about the actions of users, how their access rights are being used, and the activities they
perform. Novell offers monitoring and reporting services that work with and maintain both current and
historical information resources. This approach introduces the ability to take into account current and
past information and provide intelligence-led reporting.
The primary roles of access control are to manage and restrict access to information systems and
networks to the right people at the right time, to streamline the delivery of security and regulatory
compliance efforts, and through its automated services, to cut back on compliance-related costs. It
achieves this by using operational intelligence to understanding when the state of identities and the
roles and entitlements associated with them change in the enterprise. From this position of strength,
accurate decisions can be made about who is given access to which systems and extending the
information provided to cover issues such as why and how critical information resources are used.
PRODUCT STRATEGY
Novell is a leading provider of security management solutions. Its IAM products are used across all
market sectors, particularly in areas such as financial services, healthcare and the government sector,
all of which have to maintain strong compliance commitments.
CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION
201
The drivers for IAM continue to be regulatory compliance and the fear of unauthorized users gaining access
to an organization’s intellectual property. New and updated regulations continue to emerge and because of
this, the need remains for more inclusive governing mechanisms based on identity management.
To address these ongoing needs, organizations require agile IAM systems that can quickly and
efficiently respond to policy and operational changes to ensure that day-to-day operations remain
properly protected under all circumstances. Novell believes that these requirements play well with its
current approach to identity management, which includes its simplified policy management services and
its increased focus on delivering and proving compliance.
Another important issue that Novell is proactively addressing with its latest IAM strategy is the ability to
support mixed operating environments, including enterprise cloud adoption, which is beginning to move
rapidly from board-level discussions to operational reality. Cloud usage constraints rightly include
concerns about data controls and security. Because of this and because mixed operational strategies
that include traditional servers, virtual machines and the cloud have to maintain consistent levels of
security and control, Novell has taken a strong IAM position on cloud services. It has extended its
enterprise policies to SaaS applications and is focusing on the delivery of highly secure cloud services.
Its approach also includes increased support for hosted and MSP identity services that have the
potential to deliver Novell IAM services to the SME market.
Key trading and implementation partners include:

Global system integrators – ACS, Atos Origin, CSC, Deloitte, Harris IT, Infosys, KPMG, TATA
Consulting Services, Unisys, Verizon Business and Wipro.

Solution providers/consultants (American markets) – Beacon, Brighton Consulting, Centrinet,
CGA, Compugen, Concensus Consulting, Crescent Enterprise Solutions, Eclipsecurity, EST Group,
Great Northern Consulting Hub City Media, Identity Automation, Identropy, IDMworks, Ilantus, KIS,
Mycroft, Novacoast, Pivot Point Security, Simeio Solutions, Stage 7 Software Systems, Tenet, TriVir,
Victrix and Vigilant.

Solution providers/consultants (Asia Pacific markets) – Directory Concepts, Microware Limited,
NCS, SecureWorx, Senetas, Tecala and Xynapse.

Solution providers/consultants (EMEA markets) – ADVNET, Atheos, Business Connexion,
B2Lateral, Cambridge Technology Partners S.A., Deron, Didas, Engineering Group, G+H Netzwerk-
Design, IDFocus, IT Quality, Maintainet, NetFlex, Network Solutions, Prolink, Pulsen, Ubusha
Technologies and Value Team.
Novell supports three product-licensing options: perpetual licensing, a subscription approach, and a hosted
software agreement model. All include a common approach to discounting, which is tiered by volume.
Novell has a clear development roadmap in place for IAM. Four broad themes are addressed:

Simplification, which will involve making Novell products easier to consume. The approach is
supported by Novell’s intention to make its IAM products multi-tenant-friendly and therefore more
attractive to managed service providers.

Content, which will focus on providing greater out-of-the-box business relevance, particularly in the
area of compliance.

Packaging, which will include adapting Novell IAM capabilities to forms that are more suited to
current and future enterprise usage.

Supporting services, for the company’s Intelligent Workload Management strategy, which will deliver
new administration and management capabilities.
IDENTITY AND ACCESS MANAGEMENT 2011/12
202
IMPLEMENTATION
Organizations primarily deploy Novell Identity Manager to automate manual processes or to replace
homegrown and/or failing first-generation provisioning and compliance-management solutions. The
implementation resources required vary by project, but are defined by project size and core identity
management and business logic issues. Under normal circumstances, the number of users does not
make a significant difference other than during the migration phase, where there might be data
population requirements. Overall project timescales can also vary and be reduced if undertaken using
professional services from Novell Consulting or a certified partner.
Novell provides three support options:

Standard Maintenance delivers 12-hour, five-day access to support services during the heaviest
business hours. US support services are 6am to 6pm Mountain Time, EMEA support is 8am to 8pm
Central European Time, and Asia Pacific support is 7am to 7pm local time.

Priority Maintenance delivers 24/7 support with a four-hour response time, and a one-hour response
time for severity one issues.

Premium Service provides a single engineer-led point of contact for all support queries. Nominated
engineers understand the customer’s technical environment and are required to respond to
problems within one hour.
Novell offers a wide range of product-training services, and technical-enablement training and
certification courses. For Novell Identity Manager 4 Advanced Edition, it recommends as a minimum the
free technical overview and introduction course. There are also Identity Manager upgrade courses, two
administration training courses and self-study kits with exam-based certification, and advanced courses
aimed at systems integrators, consultants and IT engineers.
DEPLOYMENT EXAMPLES
Vodacom SA
Vodacom SA is South Africa’s leading cellular telecommunications provider. It supports the
communications requirements of more than 30 million customers across 40 African countries. The
company’s range of services cover wireless broadband, Internet services, enterprise solutions, VPN
and supporting infrastructure services. Vodacom selected Novell’s user-provisioning technology to
provide user-lifecycle and risk-management facilities for its 30 million external users and to deliver
traditional role-based provisioning and SSO start-up services for its 5,000 call-center agents. After
integrating Novell’s user-provisioning services with its own IT stack to provide workflow, portals, service
catalogue and configuration management, the company now uses Novell to manage customer and
account access to its range of business services.
GaVI
GaVI is a European provider of health management services. It employs about 500 staff and has been
a Novell customer since 2006, using its identity management solutions to manage the IT infrastructure
for more than 34 insurance companies. With between five and 10 million user seats in permanent use,
GaVI has deployed Novell’s identity management technology for company-wide use to control access
to all legacy applications and to support its role management processes. Federated usage of the Novell
product set also provides access to SAP, PeopleSoft, and Oracle applications, and it uses Novell
Sentinel for compliance management and central reporting, and for reviewing its corporate security
status.
CHAPTER 7: NOVELL – NOVELL IDENTITY MANAGER 4 ADVANCED EDITION
203
Western & Southern
Western & Southern is a Fortune 500 company that provides life insurance, annuities, mutual funds and
investment management through its member companies. The company is one of the 10 highest-rated
life insurance groups in the world according to Standard & Poor’s, and has assets in excess of $42
billion. As the foundation of its identity management platform, Western & Southern uses Novell Identity
Manager to automatically synchronize user identity information across multiple systems including
Novell eDirectory, Microsoft AD and Microsoft Exchange. Novell Access Governance Suite includes two
components that help Western & Southern to meet new compliance requirements: Novell Roles
Lifecycle Manager simplifies access control based on user roles; and Novell Compliance Certification
Manager automates the monitoring, reporting, and remediation of access privileges.
Uvex
Uvex is a global leader in the manufacture of personal safety and protection equipment, and one of the
fastest growing companies in Germany. Its subgroup, Uvex Sports, also manufactures protective
equipment for skiing, cycling and motocross. Uvex uses Novell Identity Manager to synchronize identity
data for approximately 1,600 user accounts across key business systems such as SAP ERP, Lotus
Notes and Cisco Call Manager, along with and other self-service applications. With Novell Identity
Manager automatically reflecting changes across all connected systems, Uvex no longer needs to edit
multiple user directories to maintain users. While simplifying and accelerating the creation and
management of user accounts, Novell Identity Manager also reduces human error by eliminating the
need to re-key information into multiple systems. It also increases security by immediately removing
access rights to all systems for employees who leave the organization.
Interroll
Interroll is a manufacturer of motorized rollers, belt drives and conveyor modules for handling, storage
and automation. The company has grown internationally, and now employs more than 1,300 people in
over 30 countries. Interroll evaluated several possible solutions before choosing Novell Identity
Manager. The initial implementation of Novell Identity Manager involved its integration with Novell Open
Enterprise Server, Novell ZENworks and the cloud-based Microsoft BPOS and Citrix solutions. The
requirement was to achieve automatic synchronization of all user directories. Using Novell, when a user
account is created, edited or deactivated, the new information flows through all these systems,
eliminating the need for administrators to make the same changes to each system.
Novell corporate headquarters Novell UK office
404 Wyman Novell House
Suite 500 1 Arlington Square
Waltham Downshire Way, Bracknell
MA 02451 Berkshire, RG12 1WA
USA UK
Tel: +1 (781) 464 8000 Tel: +44 (0)1344 724000
Fax: +1 (781) 464 8100 Fax: +44 (0)1344 724001
Email: crc@novell.com Email: contact-uk@novell.com
www.novell.com
IDENTITY AND ACCESS MANAGEMENT 2011/12
204
Technology Evaluation and Comparison Report
WWW.OVUM.COM
ORACLE:
Oracle Identity and Access
Management Suite – Release 11g
Butler Group
Incorporating
OVUM
CATALYST
Oracle Identity and Access Management Suite is a comprehensive suite of products that covers all the
main areas of identity management functionality, and is now one of the leading products in the sector.
It comprises an integrated suite of products that can be deployed either standalone or collectively. Its
position in the market builds on Oracle’s strong business applications. Identity and access management
(IAM) is a fundamental component for the delivery of both security and compliance, and is also
important in raising the productivity of workers in large and medium-sized organizations.

Oracle’s suite of products has benefited from a series of acquisitions, including Oracle’s recent
acquisition of Sun Microsystems’ products.

The trend for enterprises to rationalize their IT suppliers has boosted Oracle’s products in the IAM
area.
KEY FINDINGS
OVUM VIEW
Oracle has a comprehensive and well-integrated suite of IAM products that offers good value for money
when compared with other competitive offerings on the market. It has been enhanced by Oracle’s
recent acquisitions of Bharosa, Bridgestream, BEA Systems and Sun Microsystems. These have built
out the core capabilities of the suite to the point where it now compares favorably with its major
competitors in terms of breadth of coverage.
IAM is one of the most fundamental components of enterprise IT infrastructure. The effort required to
deploy it matches the role it plays. It has to be deeply integrated with business applications and
processes and with employee roles and organizational structures, and it is becoming increasingly
important to closely integrate with partner systems, cloud services and customer-facing applications.
Choosing an IAM suite is a decision that it is important to get right. Organizations should therefore work
with one of their strategic vendors with the resources and stability to ensure continuing support. These
considerations should take priority over the specific feature sets of the product. Nevertheless, Oracle
provides good functionality and open interfaces for identity federation across collaborating
organizations and for integrating third-party applications into its sphere of influence.
Oracle
Oracle Identity and Access Management Suite – Release 11g
CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G
207
TECHNOLOGY AUDIT
Strengths:
The Oracle suite is built on industry-standard protocols and interfaces.
Oracle has a comprehensive suite of closely integrated products.
Oracle is advanced in both providing identities to cloud SaaS services and using
identities from identity service providers.
Weaknesses:
Oracle relies on ecosystem partners for privileged user account control (apart
from its Authentication Services for Linux/Unix operating systems).
Key Facts:
i Oracle provides or supports agents to bring the most common business
applications into its SSO domain.
The positioning of the identity management suite in the Oracle Fusion security middleware and its
integration with Oracle’s GRC strategy places it at the center of the most relevant business concerns.
Recommendations

Enterprises that want to rationalize their IT suppliers and achieve a well-integrated core infrastructure
set and have made Oracle a strategic supplier, will find that the Oracle IAM suite provides a
comprehensive and well-integrated solution for their identity and access management needs.

Organizations that use the Sun/Waveset identity management products should migrate to the Oracle
suite to preserve their existing investments and processes.

Although usually most applicable to medium-size and large organizations, Oracle provides a useful
and viable suite for organizations in the 500 to 1,000 employee range.
SOLUTION OVERVIEW
Oracle Identity Management is an integrated and open set of 14 components that can be licensed as
standalone products or as part of several suites. They cover areas such as identity administration,
access management to web, web services and other applications and systems including SSO and
federation with collaborating organizations, directory services, web services, entitlements management,
real-time fraud prevention, multi-factor authentication, information rights management, and identity and
access governance (functional areas are outlined in the Figure 1 product architecture diagram).
IDENTITY AND ACCESS MANAGEMENT 2011/12
208
X
M
L
Enterprise
Authentication
Authorization
Virtualization
(OVD)
LDAP
(OID/ODSEE)
Federation
Trust
Platform Security
for Java
OAM
OAAM
OIF
OES
OIM
OIA
ODSEE
OVD
OID
OAS4OS
OWSM
Access Identity Audit Risk
Orchestration
(BPEL PM)
Identity Admin
Provisioning
User
Administration
Deploy &
Install
DB File
Role Mgmt.
Policy Mgmt.
Common Audit
Framework
User
Interface
Enterprise Apps
Shared Services
Core
Infrastructure
Identity
Services
(Standards Based)
Identity &
Access
Management
Product
Portfolio
Technology
(FMW & IdM)
Persistence
(Standards Based)
ISV
Oracle LOB/
Fusion
Figure 1: Oracle Identity
Management component functions Source: Oracle
The components are built around an SOA using shared services, both within the suite and across the
wider Oracle environment. For example, functions such as identity administration and password
management, workflow, authentication and authorization, cryptographic services and auditing are
provided as services in the suite, which is positioned as a pillar of Oracle’s Fusion middleware platform
and is a core component of its GRC strategy.
The foundation of an IAM system is the information repository, which is usually implemented in an enterprise
directory or meta-directory system. On top of this are a range of technologies that deliver common services
and functions to the suite. The core IAM products deliver enterprise-level services such as access control,
user identification, audit reports of user actions relating to user provisioning and user access actions, and risk
management relating to the inappropriate use of system and information resources.
The identity services can be placed in tiers relating to their position in the construction of the identity
infrastructure:

Strategy formulation – policy management and trust.

Management of permissions – identity administration, role management and provisioning.

Operational control – authentication, authorization and federation.
SOLUTION ANALYSIS
Authentication technology
Oracle Access Manager (OAM) provides several out-of-the-box authentication protocols, including
form-based authentication, Kerberos, Windows log-in, and support for second-factor authentication
such as RSA SecurID tokens, other forms of OTPs, digital certificates, and knowledge-based
paradigms. It also integrates with 12 third-party stronger authentication products from vendors in
Oracle’s extended independent software vendor (ISV) ecosystem, such as BioKey and Daon.
A useful feature of OAM is its ability to automatically step up to two-factor authentication in situations
where an internal risk assessment indicates that additional assurance is required, as defined in the
organization’s policy. This helps to reduce the risk of fraud through impersonation.
A key capability of OAM is a full featured session management capability providing administrative
control over user sessions.
Oracle provides pluggable authentication modules for privileged users.
Enterprise and web SSO
Oracle’s Enterprise Single Sign-On Suite (ESSO) allows users to access platforms and applications
across the enterprise using a single credential.
Oracle Web Services Manager (OWSM) defines and implements web services security in
heterogeneous environments. It provides tools to manage web services based on service-level
agreements, and supports runtime monitoring in live environments.
In common with all IAM suites, SSO is only achieved when the target systems and applications have
been integrated with the IAM infrastructure. Oracle supports third-party web agents that give access to
a wide range of common business web servers and applications such as Oracle WebLogic and Apache.
Oracle publishes its Access SDK to cater for bespoke and more specialist applications so that
application developers can create agents to link their applications to OAM.
Oracle’s Enterprise SSO product includes a kiosk manager, a password-reset function, an
authentication manager and a provisioning gateway.
User provisioning
Oracle Identity Manager (OIM) is the key user-provisioning and identity administration component that
provides a central platform for managing identities over their lifecycle. Access permissions based on
roles are assigned to identities. User and role administration is performed in a single administrative
console, and these functions share Oracle’s Business Process Execution Language workflow engine.
This provides simplified self-service request management. The workflow can be shared across teams
and supports delegated administration.
CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G
209
Oracle’s offers role mining as part of a comprehensive identity and access governance product called
Oracle Identity Analytics (OIA). OIA recommends role definitions, and user admin and role admin have
been combined in the same console, with a single integrated workflow to check access permission
allocations. OIA audits and certifies accounts, roles and entitlements. Discrepancies can be flagged to
the resource administrator or to the individual’s manager. Options for handling exceptions include
temporary acceptance of the status quo. A feature called Cert 360 gives a complete view of the state of
compliance around a user, a resource or an entitlement, so that permissions can be reviewed at
appropriate times.
OIM can provision users into SaaS cloud services using bi-directional Service Provisioning Markup
Language (SPML) calls. Popular SaaS applications, including Oracle CRM on Demand,
Salesforce.com and Microsoft Windows Live, are among the types of cloud applications in to which OIM
can integrate. Additionally, these cloud services can be incorporated into the scope of the SSO function.
Access control
Oracle applies access controls to applications and data. Oracle Access Management Suite is the key
product here.
Oracle Entitlements Server (OES) allows fine-grained access control to be grafted onto an existing
application. Traditionally in the IT world, application access control has been hard-coded into an
application and has been very basic in its scope, often to the point of being non-existent. OES allows
detailed permissions to be defined and implemented both centrally and outside the application. It is
therefore possible to achieve fine-grained controls without modifying applications.
FIM
Oracle Identity Federation (OIF) is a standalone product that supports identity federation. It is integrated
with OAM and similar products from other vendors. It communicates with these tools using standard
protocols such as SAML or Kerberos.
Oracle has two approaches for providing identity federation. The first is to deploy a lightweight
component called Fedlet in the domains that wish to federate to the enterprise identity management
system. The other method is to propagate identity across domains using capabilities defined in the WS-
Trust standard and a variety of identity token types such as SAML assertions.
Oracle’s Identity and Access Management Suite also integrates with identity provider services from third
parties including salesforce.com, Google Apps and Oracle on Demand, from which it can accept identity
assertions.
LDAP administration
Directory services are delivered using Oracle Internet Directory (OID), Oracle Directory Server
Enterprise Edition (ODSEE), and Oracle Virtual Directory (OVD) services. OID is an LDAP directory that
has the scalability, availability, and security features of an Oracle database. ODSEE is an LDAP server
that integrates into heterogeneous applications and provides the LDAP directory components that
underpin the IAM system. It synchronizes and manages the information stored in multiple directories
across the enterprise. OVD provides a secure facility to connect applications to existing user identity
stores, whether directories or databases, without modifying the infrastructure or applications.
To satisfy the audit requirements of several compliance standards, Oracle Database Vault can monitor
and manage user access to databases, including the activities of privileged users. Third-party ISVs
such as Cyber-Ark can integrate products into the Oracle stack and can be certified with Oracle.
Oracle provides a reporting engine as a service in the Identity and Access Management Suite. This
incorporates several standard reports as well as providing an interface by which users or service
providers can add customized report formats. The standard reports include identity/access reports, role-
based analysis and compliance exceptions. Reports can be delivered to a separate database. The
suite’s user interface is available in 28 languages.
IDENTITY AND ACCESS MANAGEMENT 2011/12
210
Standards and authorities
Oracle supports the following industry standards relating to identity management: SAML; SPML; WS-
Federation; ID-FF; LDAP; Directory Service Markup Language (DSML); Transport Layer
Security/Secure Sockets Layer (TLS/SSL); Public-Key Cryptography Standards (PKCS) #11;
PKCS#12; WS-Security and associated profiles; Request for Comments (RFC) 3961 Kerberos
Encryption; RFC 1510 Kerberos; RFC 1964 Kerberos Generic Security Service (GSS); XML Signature;
XML Encryption; XML Canonicalization; XML Key Management Specification; RFC 2630 – CMS; RFC
2515 – PKCS#7; RFC 2634 – Secure/Multipurpose Internet Mail Extensions (S/MIME); Extended Log
File Management; Java Authorization Contract for Containers (JACC); RBAC; Java Authentication and
Authorization Service (JAAS)/Java Platform Security; SOAP; SOAP with attachments; Message
Transmission Optimization Mechanism (MTOM); WS-Policy; WS-SecurityPolicy; WS-
ReliableMessaging; WS-Addressing; WS-MetadataExchange; Advanced Encryption Standard (AES)
256 encryption; Secure Hash Algorithm (SHA) 1 signature; Java Key Store; and XACML.
PRODUCT STRATEGY
Oracle released its first product in this area, OID, in 1999. It has steadily expanded its portfolio since
then through organic development and through the acquisition of specialist vendors. Its recent
acquisition of Sun Microsystems brought it one of the major competing identity management suites,
significantly strengthening its position in the sector. Before this, two important acquisitions were
Bridgestream in 2007, which provided role-management capabilities, and Bharosa, which delivered
adaptive access facilities. In 2005, Oracle acquired the following companies: Thor Technologies, for its
enterprise-wide user-provisioning capabilities; Oblix, with its range of functions, including SSO for third-
party applications; and OctetString, with its virtual directory technology that enabled Oracle to work with
third-party directories. While these acquisitions were specialist vendors, the Sun Microsystems
acquisition resulted in substantial duplication of similar products.
One of Oracle’s tasks moving forward is to rationalize and merge the two product lines. Sun Identity
Manager is now called Oracle Waveset. The convergence process will result in some strategic
components from Sun’s products being added to Oracle’s suite as Sun’s users are gradually eased over
to the Oracle products. OIM will be enhanced to provide usability, and operational and other developer-
friendly features that will make it more familiar to Oracle Waveset users. The integration will also drive
innovation in areas such as risk-based provisioning. Oracle plans to offer migration tools for all Sun
Identity Manager products later in 2010. Sun users are now offered equivalent Oracle products free of
charge. They will be allowed to run both products in parallel, so that they can migrate at their own pace.
Oracle regards the Open SSO Fedlet (now known as Oracle Open SSO Fedlet) and the Secure Token
Service (Oracle Open STS) as strategic components that it has added to the Oracle Identity and Access
Management Suite. It also plans to continue to invest in the Open SSO product.
Oracle has also used the Sun Role Manager (formerly from Vaau) as the foundation for OIA, while the
Sun Directory Server Enterprise Edition has been combined with OID and OVD to deliver a new product
called Oracle Directory Services Plus.
With the recent 11gR1 release, Oracle has delivered on:

Service-oriented security, developing standards-based security services for applications to use.

Suite-wide integration and standardization.

Continued alignment of products with evolving standards from industry bodies such as Kantara,
OASIS and the Cloud Security Alliance.

A unified security administration console.

Suite integration from installation, configuration and policy models, with shared functional
components and platform certifications.

Integrated end-to-end functionality to allow customers to manage user sessions, authentication,
federation, authorization, security token services, web services and risk analysis/fraud prevention.
CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G
211
Two types of migration tools from Sun Open SSO will be added to OAM. The first is a set of policy-
migration utilities, and the second is an agent-compatibility framework that allows Open SSO agents to
communicate and interoperate with the OAM policy server.
Oracle also plans to offer migration tools for Sun Identity Manager to OIM. The first part of this tooling
is to uptake the Identity Connector Framework (part of SIM) as a strategic framework within OIM,
thereby enabling enterprises to leverage a common framework for integration with target applications
across both provisioning engines. Secondary tooling for migrating data objects, core schema, audit data
and workflow will also be made available.
Oracle goes to market with a direct sales force, and through resellers and other channel and alliance
partners. It has its own sales team in most geographic regions. These include vertical market specialists
and security specialists with a horizontal focus across all industry sectors. It also has dedicated security
experts in its teams dealing with public sector, healthcare, and higher education. Oracle’s major delivery
partners are PricewaterhouseCoopers, Deloitte, Accenture and Wipro, and it has regional partnerships
with SENA Systems, TrewPort, Beacon, Integral and others. Oracle Consulting Services can provide
professional support to customers, and Oracle offers training programs through self-study, online study,
and instructor-led classes.
Oracle’s identity management products are used by organizations of all sizes. However, most of the
deployments are at medium or large organizations. Oracle uses channel partners to deliver the products
to smaller customers.
Oracle offers both perpetual and term licenses for its products. Charges are calculated on a per-
employee user, per-non-employee user or per-processor basis. Oracle publishes a price list on its
website.
IMPLEMENTATION
A deployment project for a major IAM suite requires significant resources over a period of months or
even years, and projects are usually rolled out incrementally. A project is intimately related to business
process changes, and can deliver substantial business benefits. It is therefore essential to receive buy-
in from business managers and to include a business analyst in the deployment team. Experienced
consultants are also a valuable resource. Oracle Consulting and several of its system-integrator
partners such as PricewaterhouseCoopers, Deloitte, HP-EDS, Accenture, Wipro and SENA Systems
can provide professional support.
An incremental approach can be segmented according to business groups, applications and platforms,
and facilities, or to the products in the IAM suite. Oracle has traditionally mainly sold individual IAM
products, but market demand is now shifting toward complete suites. This is partly due to organizations
rationalizing their IT suppliers and favoring comprehensive suites of products over best-of-breed point
solutions, and partly due to a growing realization that the business benefits of a comprehensive
approach are greater than the sum of the benefits of the parts, particularly with respect to delivering
regulatory compliance.
The majority of Oracle’s identity management customers deploy the products on-premise, but Oracle is
providing technology for managed identity services offered by HP-EDS, Wipro, Oracle on Demand and
BT. Users can deploy Oracle IAM products on-premise or use one of these service providers for a
managed on-premise, dedicated hosted, or SaaS solution.
The suite runs on Microsoft Windows, Linux, Solaris, AIX, HP/UX, z/OS and Mac OS platforms. It also
requires a database on which it can be deployed, and this is not included in the license. However, most
customers have an existing database license that they can use for this purpose.
IDENTITY AND ACCESS MANAGEMENT 2011/12
212
DEPLOYMENT EXAMPLES
Pharmaceutical company
The pharmaceutical industry operates in a challenging environment where it has to balance the needs
of information security and information sharing. It is subject to many regulations, including the Health
Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Code of Federal
Regulations (CFR) Part 11. At the same time, effective and speedy collaboration, both across the
company and with external partners, is essential for commercial success. This company’s strategy is to
treat authentication as an infrastructure service that each application can use, using OAM and OVD to
build a unified and centralized portal for both internal and external access. This portal offers users a
choice of credential for authentication and ensures that the level of authentication is appropriate to the
level of risk associated with the application. Some of its applications are web-based. It was also able to
offer its employees web-based access to corporate applications through its portal. The SSO capability
has significantly enhanced user productivity and security, by eliminating a plethora of user IDs and
passwords. Oracle’s Virtual Directory provides LDAP and XML views of enterprise information without
moving it from its native locations. It also acts as an intermediary between clients and services that
enhances the security of application connections. It now has 300 applications using its common
authentication services.
Government ministry of defense
This organization oversees all of the country’s military and civilian defense personnel. It needed to
consolidate all of its classified data in a secure and scalable electronic platform. It uses Oracle Identity
Management to provide 100 senior users with secure and seamless access to the information that they
are entitled to access. Their access rights depend on their job function and their security clearance
level. It is important that the identity management product is interoperable with third-party products and
open standards. OVD is used to integrate user identity information from the ministry and armed forces’
ADs. OAM controls and tracks access to confidential documents based on user roles.
Government agricultural authority
This organization administers the distribution of state funds within the agricultural sector, and monitors
the use of these funds. Its services are used by 50,000 users from diverse groups such as farmers,
agricultural businesses, other industrial players and local officials. It has to ensure stable access to
services by all of these groups, provide a seamless integration between its own electronic services and
the government portal that gives access to services such as business and population registers, and
develop services for data capture, processing and monitoring. It deployed OIF and OAM to provide
convenient and efficient access to the required services. It has outsourced the maintenance and
operation of the systems.
Oracle Corp Oracle UK
500 Oracle Parkway Oracle Parkway
Redwood Shores Thames Valley Park
CA 94065 Reading, RG6 1RA
USA UK
Tel: +1 (650) 506 7000 Tel: +44 (0)118 9240000
Fax: +1 (408) 720 3725 Fax: +44 (0)118 9243000
Email: oraclesales_us@oracle.com Email: uksales_ie@oracle.com
www.oracle.com www.oracle.com
CHAPTER 7: ORACLE – ORACLE IDENTITY AND ACCESS MANAGEMENT SUITE – RELEASE 11G
213
Technology Evaluation and Comparison Report
WWW.OVUM.COM
RSA (THE SECURITY DIVISION OF EMC):
RSA Identity & Access
Management
Butler Group
Incorporating
OVUM
CATALYST
Across all sectors of business there is a need to accurately control who has access to operational
systems. It is a vital element of any security management strategy. Good quality identity and access
management (IAM) is necessary to reduce business risk, minimize exposure to fraud, identify
inappropriate systems use and support the unimpaired use of business systems. The effective use of
IAM breeds trust and confidence in an organization’s business processes. It allows trusted users to
interact with systems and access information securely and selectively. It can also help to control
operational costs through increases in operational efficiency. These are all issues that RSA addresses
with its extensive range of IAM-based identity assurance products.

RSAprovides enterprise-class identity assurance products that address the risk and compliance issues
arising in highly regulated sectors such as finance, healthcare, telecoms and government.

The company’s broad range of authentication services addresses all levels of secure access, based on
risk. Its range of authentication methods covers appliance, hosted (SaaS), and on-premise operations.

RSA delivers an enterprise suite of identity assurance products that can also address the IAM
requirements of SME clients.
KEY FINDINGS
OVUM VIEW
RSA provides an extensive range of IAM-based identity assurance products and services, which
collectively, as well as individually, can be deployed to protect the operational systems and intellectual
property of public and private sector organizations and their users. The company’s identity assurance
products have been designed to minimize the risks associated with inappropriate and unauthorized
systems and account usage, and its services have been extended to address fraudulent activity,
accidental data leakage, and information and event monitoring.
The main components of the RSAIAM solution have the capability to deal with business-specific identity
assurance issues. This is achieved by combining the essential elements of credential management,
authentication and contextual authorization with an integrated Intelligence layer that actively addresses
access control, activity monitoring, information sharing and a growing range of management alerting
and reporting requirements.
RSA (The Security Division of EMC)
RSA Identity & Access Management
CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT
217
TECHNOLOGY AUDIT
Strengths:
Provides best-of-breed identity assurance and access control products.
Strong multi-factor authentication includes the use of hardware and software
tokens.
Federation facilities allow organizations to securely share and exchange user
identities.
Weaknesses:
Does not provide homegrown user provisioning facilities.
Key Facts:
i Integrates with the main directories from Microsoft, Oracle and Novell.
i Partners with Courion to provide best-of-breed user provisioning facilities.
RSA recognizes that the user and information protection needs of many organizations may start with
the basic requirement to identify and control the access rights of systems users. However, it is also
acutely aware that IAM is just part of a security management strategy that organizations will need to
have in place to fulfill their compliance and intellectual property protection requirements.
Building out from the core components of identity management, content-aware IAM needs to have the
ability to work alongside and integrate its services with other core protection and security management
technology, including DLP, encryption and key management, and SIEM products.
Its competitors would probably argue that RSA already owns these additional security management
products, which overinflates its judgment of their worth. However, the counterargument is easier to make.
Most enterprise organizations need to control access to their core information systems, protect the data
that those systems hold and, at the same time, prove to audit and compliance levels that these objectives
have been achieved. RSAhas consistently held a market-leading position in the core identity management
areas of strong authentication, user authorization and access control. Ovum recognizes that its content-
aware approach now extends its relevance into information protection and security management.
Recommendations

RSAtechnology is suitable for any organization that needs to authenticate users, and verify and monitor
intellectual property use across its operations, and where appropriate, to the extended enterprise.

Vertical markets including financial services, government, healthcare and telecoms represent just some
of RSA’s areas of success.

The technology supports the security management initiatives of organizations, from very large
international groups through to smaller enterprise operations. Its adaptive authentication and transaction
monitoring services are used by large enterprises operating in markets such as financial services to
secure online transactions. At the same time, its range of SecurID products is also of value to businesses
of all sizes.

Organizations select RSA identity assurance products to support their regulatory compliance initiatives,
to help prevent fraudulent activity, and to increase customer confidence when using online services.
SOLUTION OVERVIEW
RSA provides an integrated set of products that simplify and improve the administration and
management of user identities and access control. Its IAM product suite encompasses the key
components of identity management, including multi-factor and contextual authentication. It supports
the delivery of enterprise-strength access control and extends its services to the provision of federated
identity services, DLP, fraud detection and SIEM.
Its product set comprises integrated technology that extends user authentication from its foundation as
a source of basic identity management to one where continuous control and monitoring of identity,
authentication, access and usage is a fundamental business service.
Within the RSA approach to operational security management, identity assurance is the key to its
service delivery methodology. It brings together an integrated platform of facilities and services that can
be used to help organizations minimize the business risks associated with identity impersonation and
inappropriate account usage. The approach allows trusted identities to freely and securely interact with
and across systems and networks, and provides controlled access to protected information. The key
business and technology deliverables are:

Credential management – this provides a full lifecycle management and policy administration
environment for credentials that are used in the identity verification and assurance processes.

Authentication – this assures identities to a system, resource or transaction, and is based on the
risk involved. Delivery can involve a choice of appliance, hosted (SaaS) or on-premise software. The
methods offered can vary from form factors that include both hardware and software tokens.

Contextual authorization – this enforces access based on a specific risk and business context
according to the policy requirements of each organization.
IDENTITY AND ACCESS MANAGEMENT 2011/12
218
Collectively, this intelligence-based technology approach is used to protect the integrity of identity-
based controls through the monitoring of credentials and activities that allow authorized parties to
access information systems for specific designated purposes.
The key IAM products that RSA uses to deliver these services are:

RSAAccess Manager.

RSA Identity Protection and Verification.

RSA Federated Identity Manager.

RSA SecurID.

RSAAdaptive Authentication.
Provisioning and role management services are provided through the company’s close partner
relationship with Courion. RSA has chosen to maintain this partnership approach to the delivery of core
IAM services, as it believes that provisioning is a component of IAM that is best dealt with by a
specialist.
CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT
219
385792
ID Policy & Credentials Lifecycle
User Authentication
& Choice of Credentials
Access Control &
Set-up Authentication
ID & Activity Monitoring,
Information Sharing
& Alerting
Credential
Management
Authentication
Contextual Authorization
Intelligence
Define ID
Policy
Verify Identity
KBA & Shared
Secrets
Device
Identification
One-time
Passwords
Access Management Federation
My Company
Partner Co.
Partner Co.
Partner Co.
Lifecycle
Management
Figure 1: The business and technology
deliverables of the RSA approach to IAM Source: RSA
SOLUTION ANALYSIS
Authentication
RSA provides a wide range of business and user authentication services. Its SecurID product set
delivers strong two-factor authentication facilities that are provided using both hardware and software
tokens. Its digital certificate services can be used to maintain a secure environment for authenticated,
private and legally binding electronic communications. The company’s e-commerce products provide a
secure framework for building cardholder protection and fraud management using a wide range of
authentication and card security services. Its Identity Protection and Verification product set adds
knowledge-based authentication to provide real-time confirmation of customer identities.
The universal requirement is to verify all authentication requests and, through RSA Authentication
Manager, maintain, control and deliver a centrally administered set of policy- and rule-based network
authentication services. RSA provides high-performance and scalability across the product set, and
interoperates with a wide-ranging set of network, remote access, VPN, Internet, wireless and
application solutions.
Adaptive authentication
RSA Adaptive Authentication extends the role of the company’s business and user authentication
portfolio to the web environment. Its Adaptive Authentication products are based on a risk-based
authentication platform that has been developed to provide strong protection for web and voice
communication channels.
Alongside the growing need to provide employees, customers, business partners, suppliers, contractors
and a whole host of other regular and ad hoc users with online access, organizations need to ensure
that this is done in a secure and cost-effective manner. Therefore, the product’s functional role is to
deliver an effective balance between secure authentication, a good quality user experience and cost-
efficient controls.
Adaptive Authentication monitors user activity and its controls are driven by each organization’s
specified acceptable risk levels, policy and user segmentation requirements. It supports a wide range
of authentication approaches including invisible authentication (device identification and profiling); site-
to-user authentication (website assurance using pre-selected personal security images); out-of-band
authentication (phone, SMS or email with security challenges); and OTPs (supported by hardware and
software tokens).
Access control
There are four key areas of operational responsibility that fall within RSAAccess Manager’s remit:

Managing risk – by ensuring secure access to web applications within intranets, extranets, portals
and all user and customer-facing applications. Access Manager provides a core security-
management infrastructure that protects the assets of a business by making it difficult for
unauthorized users to access corporate systems. It also provides audit-level reporting facilities that
can be used to identify and control unacceptable insider usage and systems abuses.

Ensuring compliance – user-access controls, policy-management facilities and enforcement
services are used to support each organization’s specific compliance requirements. The product’s
enforcement and reporting services help IT and C-level business managers to measure the
organization’s compliance levels with current internal and external security policies. The product also
provides automated reporting that identifies all end-user system and application activity.

Cost reduction – is achieved by making efficient use of the product’s centralized facilities for the
management of user identities and privileges. These services are supported across multiple
applications, domains and geographies. The central management approach reduces the overheads
of managing fragmented identity systems. It also makes use of SSO facilities, which, through single-
source user efficiencies and well-documented self-service help-desk savings, bring further potential
cost-reductions.

Improved end-user experience – is provided through the product’s SSO capabilities. SSO allows
multiple applications to be protected by a single access instance. This equates to one secure
password having the ability to safeguard access to multiple applications, which, in the right
environment, removes the need for users to maintain multiple credentials.
FIM
RSA Federated Identity Manager provides facilities that allow organizations to securely share and
exchange user identities with internal business units, customers and, on a business-to-business (B2B)
level, with third-party business partners. The product is standards-based and has been developed to
work with mainstream industry and web services standards, including XML, SOAP and SAML 2.0.
IDENTITY AND ACCESS MANAGEMENT 2011/12
220
In today’s interactive business environments, the requirement for closer partner interaction involving
shared information assets makes closer collaboration necessary to maintain a competitive edge. To do this
safely, there is a need to maintain and manage trusted user identities for a company’s own employees and
authorized third parties. RSA Federated Identity Manager maintains strong levels of control by ensuring
the security of authorized users and their transactions. Within the RSA solution, a federated identity is a
single controlled entity that each user is able to use across internal and external areas of the business and
partner websites, with all of these elements being bound by the ties of federation.
Extended security management facilities
RSA has considered the wider business requirements for security management and the range of
protection services that have direct associations with controlling user access and the information
resources that become available once authorized access has been granted. The company’s identity
assurance approach includes the availability of information monitoring and data protection services, and
includes its SIEM, DLP and data encryption products.
RSA DLP provides a best-practice approach to data protection. It includes facilities that enable IT and
business managers to understand the data that are most sensitive to their operational activities, where
it resides, who should be allowed access, and the controls, policies and data encryption rules that are
necessary to provide the required levels of protection and fulfill audit and compliance demands.
RSA SIEM provides activity logs that address the need-to-know elements of identity management,
access control, and data protection. Organizations need to be able to prove how effective their user
controls and information access strategies are. Regulatory compliance often requires this information,
and auditors may well demand it. Through its enVision platform, RSA provides a scalable and relevant
collection of data analysis, alerting, reporting and data storage services.
PRODUCT STRATEGY
RSA has an open-market approach to the marketing of its identity assurance products. Its identity-
driven solutions are relevant to any organization that needs to verify and securely authenticate users
while protecting and controlling access to its intellectual property.
Over 30,000 customers use the company’s range of security products, around 25,000 of which are
users of some or all of the components of its IAM suite. RSA IAM customers include Accor, Alliance &
Leicester, AMD, Credit Suisse, Flybe, Hershey Foods, Kronos and Staffordshire Police.
MARKET OPPORTUNITY
RSA IAM systems are implemented across a wide range of industry sectors including financial, legal,
automotive, consumer and retail, e-commerce, education, energy, government, healthcare,
manufacturing, real estate, technology and transportation. In addition to its vertical coverage, the
company addresses horizontal markets with cross-industry solutions such as regulatory compliance,
consumer identity protection, portal and partner integration, mobile workforce security and digital rights
management. The company’s customers come from every part of the business landscape, and at the
upper end of the scale, the vast majority of the Fortune 100 uses its services.
RSA’s identity assurance products deliver a prompt ROI, providing a quick-win approach to most IAM
projects. Its most significant market opportunities are provided by the following business and market drivers:

Supporting compliance initiatives through the use of its systems and technologies, so that businesses
are able to fulfill their various regulatory compliance commitments.

Securely enabling workforce mobility and enhancing productivity by supporting the needs of mobile and
remote workers (employees, contractors and virtual teams) and their flexible working requirements.

Preventing fraud and accidental data loss by controlling channel access to information systems and
managing the information available to authorized users. This includes securing access to sensitive
information across enterprise systems and networks. Its web portal approach has been designed to
improve operational efficiency and enable controlled information sharing and self-service capabilities.
CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT
221
GO TO MARKET STRATEGY
RSA operates using a wide range of sales channels, which it targets to support specific customer
needs. These include direct sales, the use of distribution partners, systems integrators, managed
service providers and value-added resellers. Key business partners include EDS, Deloitte, CSC, AT&T,
Wipro and Tata (TCS). Its listed technology partners include BEA Systems, Cisco, Citrix Systems,
Juniper Networks, Microsoft and McAfee. In total, RSA has more than 1,000 certified technology
partnerships.
While RSA believes that it has no single competitor because of the range and breadth of its own
solutions, it mainly competes on end-to-end IAM projects with the large multi-platform vendors such as
IBM, Oracle, Novell and CA, and its information protection products compete directly with Symantec,
McAfee, Websense and CA.
The majority of RSA products are priced on a per-user or per-transaction basis. RSA offers perpetual
and subscription licensing models, and, in addition, annual maintenance contracts are available.
IMPLEMENTATION
Each product within the RSA identity assurance portfolio can be deployed in its own right, or as a fully
integrated component of the overall RSA IAM offering, and each product integrates with the main
directories from Microsoft, Oracle and Novell.
The company’s time-to-implementation averages are typically set at between two and eight weeks.
However, RSA project timescales can range from minutes for a simple deployment of the RSA SecurID
Appliance, through to much longer timescales for the use of multiple product combinations across
complex deployment environments, where projects of over six months are not uncommon.
While RSA can provide the skills required to implement its technology solutions, it also works with a
number of global and regional systems integrators. The technical skills needed to undertake a full
deployment of RSAIAM technology include core domain expertise in the areas of networking, operating
systems administration, directory infrastructures, web architecture, and key development languages
and protocols such as .NET, C, C++, C#, Java, hypertext markup language (HTML), HTTP, SAML
XACML, XML and web services.
RSA uses a standard plan, design and implementation approach to its deployment methodology, and
each of the respective stages can be broken down into discrete, modular components. Quite
reasonably (given the potential for complexity in IAM projects), RSA recommends that its solutions are
deployed in definable phases; for example, by technology, or within integrated business units.
Ongoing administration for on-premise solutions is seen as an end-user responsibility, and to
emphasize this position, RSA is able to provide several supporting facilities and components using an
SaaS approach. RSA educational services provide user training facilities in the form of a broad set of
courses, which range from instructor-led engagements to online self-service options. The company has
training centers at its regional headquarters in the US, Europe and Singapore, and also has a network
of authorized training partners, each with RSA-security-certified instructors.
Ongoing technical support is provided by RSA, using a three-tier customer support approach:

Basic support – a value-based option that is intended to meet the needs of non-mission-critical
environments on a business hours basis.

Enhanced support – a comprehensive 24/7 support option that provides round-the-clock remote
support and access to RSA’s global network of support centers.

Personalized support – a personalized support approach that can be tailored to complement RSA
service contracts with open access to technical experts on a 24/7 basis.
IDENTITY AND ACCESS MANAGEMENT 2011/12
222
DEPLOYMENT EXAMPLES
Advanced Micro Devices
Advanced Micro Devices (AMD) is a California-based company that designs and produces
microprocessors, graphics and media solutions. AMD needed to securely authenticate its network of
external users at a higher level than username and password would allow, while retaining user
convenience. It wanted to deploy strong authentication that would eliminate the logistical overheads of
hardware tokens, but still offer high-security standards. AMD selected RSA and has rolled out its
integrated Access Manager and Adaptive Authentication solution for SSO to web applications, with
authentication requirements being based on risk analysis. RSA site-to-user authentication provides a
personal security image and caption that gives users the confidence that they are entering a legitimate
AMD website. Benefits that have been achieved include a 33% reduction in the time taken to arrange
secure web access for new clients, improved convenience and productivity, and reduced compliance-
audit overheads.
UK local authority
Secure communication with central government was vital to this local authority’s operations. For
example, it needed to regularly send information on benefit claimants to the Department of Work and
Pensions and ensure that the correct levels of funding were received back. To have access to
Government Connect, all local authorities are required to achieve Code of Connection (CoCo)
compliance. This requires two-factor authentication as a basic standard for remote access. The
authority deployed RSA SecurID to deliver two-factor authentication based on something each user
knows (a password or PIN) and something the user has (a hardware token). The benefits achieved
included CoCo authentication compliance, quick adoption and take-up by end users of RSA SecurID,
and associated long-term cost savings.
RSA, the security division of EMC RSA UK Ltd.
EMC corporate office RSA House, Western Road
176 South St. Bracknell, Berkshire
Hopkinton, MA 01748 RG12 1RT
USA UK
Tel: +44 (0)1344 781000
Fax: +44 (0)1344 781001
Email: euro.info@rsa.com
RSA Corporate Headquarters
174 Middlesex Turnpike
Bedford, MA 01730
USA
Tel: +1 (781) 515 5000
Fax: +1 (781) 515 5010
www.rsa.com
CHAPTER 7: RSA (THE SECURITY DIVISION OF EMC) – RSA IDENTITY & ACCESS MANAGEMENT
223
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 8:
Vendor profiles
Butler Group
Incorporating
OVUM
ActivIdentity
Company profile
ActivIdentity Corporation (ActivIdentity) is a provider of identity assurance and credential management
solutions for the enterprise, government, healthcare, and financial services markets. ActivIdentity was
formed in 2005, when ActivCard took a new name following its acquisition of Protocom earlier that year.
Both organizations were established vendors in the IAM market, with highly complementary portfolios:
ActivCard’s main focus within the market was authentication, secure remote access, and smartcard
management systems; Protocom’s was Enterprise Single Sign-On (ESSO).
ActivIdentity is headquartered in Fremont, California, and has development centers in the United
States, Australia, and France, with sales and service centers in more than ten countries. Overall,
ActivIdentity has over 4,000 customers, with more than 15 million users of its solutions. Over 60 large
financial institutions are direct users of solutions based on 4TRESS Authentication Server (4TRESS
AS). ActivIdentity recently acquired CoreStreet Ltd., and this acquisition brings in CoreStreet’s Public
Key Infrastructure (PKI) certification technology, distributed identity credential validation system, and
physical access control products into ActivIdentity’s already strong authentication and credential
management portfolio.
Product description
ActivIdentity consists of four product lines that form the foundation of a multi-layered security approach,
and these product lines include:
Strong Authentication: This suite of products ensures that all end-user access controls including remote
access, browser-based, and network-based are all controlled securely. The product suite includes two
authentication platforms:

4TRESS Authentication Server (4TRESS AS) is an enterprise-strength, standards-based server that
allows organizations to manage authentication, transaction authorization, credential management,
and associated audit logging. 4TRESS AS enables authentication services to be shared between
applications, so that organizations can use second-factor authentication in as flexible and efficient a
way as SSO has enabled password-based access to avoid multiple requests to users for different
credentials, apart from checking access rights using credentials that the user has already presented.
Additionally, it provides administration and management facilities to aid organizations in supporting
users’ needs for multi-factor credentials, as well as managing authorization policies, and providing
tamper-evident audit log services for all functions undertaken within the solution. 4TRESS AS is
configurable to support multiple concurrent authentication policies, for passwords, One Time
Password (OTP) devices such as tokens, memorable data, and other schemes. It allows
organizations to consolidate access mechanisms to a single mechanism for strong user
authentication (e.g. OTP tokens), and for this credential to be recognized regardless of which
product line, or service channel, the user wishes to access. 4TRESS AS also supports segregated
administration. Transaction authorization is another major feature set within 4TRESS AS, as is the
built-in Remote Authentication Dial-In User Service (RADIUS) authentication support.

4TRESS AAA Server for Remote Access – basically supports remote access needs of organizations
by ensuring that all user access is secured based on text-based One-Time Passwords (OTP).
Credential Management: ActivIdentity through its ActivID product suite enables organizations to replace
traditional user names and passwords with digital certificates by being able to deploy and manage
smart cards and USB tokens containing a variety of credentials. The product suite consists of the
ActivIdentity ActivID Card Management System which issues and manages digital credentials on
devices, as well as two add-on modules: ActivIdentity ActivID Batch Management System and
ActivIdentity ActivID Identity Registration System – which extends the basic ActivIdentity ActivID Card
Management System capabilities to personalize and encode smart cards as well as comply with the
more advanced PIV standards.
CHAPTER 8: VENDOR PROFILES
227
Security Clients: This product line enhances the aforementioned ActivIdentity product lines by enabling the
smart cards and USB token usage across a variety of desktop, network, and applications; along with
providing users with SSO capabilities. The various products in this product line include ActivIdentity
ActivClient – which secures workstations with smart cards and smart USB tokens, ActivIdentity ActivClient
for Common Access Card – in specific for U.S. Department of Defense, ActivIdentity SecureLogin – for
SSO capabilities, and ActivIdentity Authentication Client – to handle additional authentication needs.
Authentication Devices: This product line allows organizations to deploy a variety of additional
authentication mechanisms in order to satisfy their individual access management needs. The range of
options include: ActivIdentity Authentication Devices range from Smart Cards, Smart Card Readers,
Smart USB Tokens, OTP Tokens, DisplayCard Tokens, and Soft Tokens to Hardware Security Modules.
ActivIdentity, Inc. ActivIdentity (UK) Ltd.
6623 Dumbarton Circle Waterloo Business Centre
Fremont 117 Waterloo Road
CA 94555 London , SE1 8UL
USA UK
Tel: +1 (800) 529 9499 (Toll-Free) Tel: +44 (0)20 79600220
Tel: +1 (510) 574 0100 (Main) Fax: +44 (0)20 79021985
Fax: +1 (510) 574 0101
www.actividentity.com
Aladdin (SafeNet)
Company profile
Aladdin moved into the IT security business after starting out in the DRM space manufacturing HASP
copy-protection dongles. In 1998 it acquired eSafe and its content-security product, in addition to
developing its first USB smartcard authentication eToken offering. The company’s most recent product
addition is the 2008 acquisition of the SafeWord product set from Secure Computing, before the latter
was taken over by McAfee. Aladdin operates in the Americas, Europe, Middle East, Africa and Asia
Pacific. It is headquartered in Belcamp, Maryland and employs around 1,600 people.
In March 2009 Aladdin was acquired by SafeNet’s private equity owner Vector Capital. SafeNet and
Aladdin have operated under common management since that time. On March 31, 2010, SafeNet
acquired the Vector Capital interest in Aladdin, thereby completing the legal combination of the two
security companies. Hence the contact details provided for Aladdin are those of Safenet. SafeNet is a
security company that provides information security solutions such as data protection, software
licensing and management and industry solutions, professional services around rights management,
SafeNet HSM implementation and web threat analyzer (WTA) audit services.
Product description
SafeWord is focused on providing strong authentication, primarily OTP tokens, that integrate with
directories and VPN access platforms. Its ID&AM platform also includes SSO functionality. The solution
deals with the three core elements of authentication, management, and user access.
The SafeWord product set can provide a variety of authentication options that can be linked to the
specific nature and needs of an organization’s user-base. It offers strong two-factor authentication
capabilities that provide users with controlled access to corporate information. Authentication is
provided through One Time Passwords (OTPs) that are generated either using tokens with a hardware
form factor, or through the use of software and mobile authenticators. In addition, ESP Web Access
Gateway can be used to provide protection for Web applications, portals, and Outlook Web Access, by
incorporating two-factor authentication and SSO.
Access management facilities are provided for internal and external users using secure access
channels and SSO. VPN support is available for products from vendors such as Cisco, Checkpoint,
Nortel, Citrix, and Juniper. Management facilities are also available for the enforcement of corporate
access policies either through the management console or through its integration capabilities with
LDAP, AD, and RADIUS sources.
IDENTITY AND ACCESS MANAGEMENT 2011/12
228
Organizations that want to provide controlled access to many applications, or use alternative two-factor
authentication mechanisms such as mobile devices, or make the deployment exercise simpler by
providing a platform for user self-service and token enrolment, can use SafeWord’s Enterprise Solution
Pack (ESP). ESP comes with its own Management Console for the enterprise-wide management of
users, tokens and access rights, as well as event logging and reporting.
Another key piece of functionality within the ESP product set is MobilePass – which is a software-based
two factor authentication solution that generates secure OTPs on mobile devices, laptops or desktops.
MobilePass can be deployed on a number of platforms including BlackBerry, Palm, Windows Mobile,
Java ME-enabled devices, SMS Text Messaging, and Windows Desktop. These OTPs can be
generated via a MobilePass application installed on the aforementioned devices to provide secure
access to VPNs, Citrix applications, and Outlook Web Access.
Headquarters (Aladdin and SafeNet) SafeNet UK
4690 Millennium Drive Rivercourt, 3 Meadows Business Park
Belcamp Station Approach, Blackwater
Maryland 21017 Camberley, Surrey, GU17 9AB
USA UK
Tel: +1 (410) 931 7500 Tel: +44 (0)1276 608000
Fax: +1 (410) 931 7524 Fax: +44 (0)1276 608080
www.safenet-inc.com
Avatier
Company profile
Avatier Corporation is a privately owned organization set up in 1995 and based in San Ramon, CA, with
offices in Dallas, Boston, Chicago, and Denver in the US, and smaller offices in India, the UK, and
Japan. The company has 74 employees in total and has a customer base of over 500. Clients include
the NASA Shuttle operations/United Space Alliance, Harris Corporation, Astra Zeneca, Rockwell
Collins, NTL Group, and MidFirst Bank.
Product description
The Avatier Identity Management Suite consists of the following modules plus SSO functionality,
addressing various aspects of identity management:

Password Station: This module provides self-service password reset, password management, and
synchronization (GINA interface and Phone interface) capabilities. Employees are allowed to reset
their own passwords and synchronize one password across multiple platforms. This can be done
through the Web browser or through the Password Station Phone Reset Suite module.

Identity Analyzer: This module provides a holistic view of all user accounts as well as the current
status of these accounts across the entire enterprise systems. It separates accounts that are
currently active from those that have been disabled or deleted.

Password Bouncer: Password Bouncer can be used for granular enforcement of password policy
and password synchronization; employees are not allowed to select passwords that can be easily
guessed or broken by hackers.

Account Creator: Account Creator is the company’s user-provisioning and role-definition tool. Using
this, administrators can create accounts for new employees, enforce naming conventions, and
automate home directory management, e-mail set-up, etc.

Account Terminator: This is the module for user de-provisioning. This module is focused on
compliance, especially SOX, Health Insurance Portability and Accountability Act, and Gramm-
Leach-Bliley (although these are US laws the functionality is also useful for non-US organizations).
Administrators can search for orphan accounts, and disable, enable, and delete an employee’s user
accounts across multiple platforms.
CHAPTER 8: VENDOR PROFILES
229

Avatier Identity Enforcer: Avatier Identity Enforcer provides self-service role matrix and rights-
management capabilities with SOX support. It includes multi-lingual workflow and custom forms
capability.

Compliance Auditor: The module helps identify and address compliance gaps.
The module enables role, entitlement, and asset owners to review and approve the access and assets
assigned to users regularly, as well as issuing alerts through emails and other reporting methods.
Avatier Corporation Avatier Corporation
2603 Camino Ramon The Pavilions, Kiln Lane
Suite 110 Epsom
San Ramon Surrey
CA 94583 KT17 1JF
USA UK
Tel: +1 (925) 217 5170
Fax: +1 (925) 275 0853
E-mail: info@avatier.com
www.avatier.com
Aveksa
Company profile
Aveksa specializes in the supply of access governance and management solutions. The company was
founded in 2004 by a group of industry experts with previous experience in organizations such as
Netegrity, Banyan Systems, and PowerSoft. Aveska focuses on specific areas of the Identity and
Access Management (IAM) business landscape, such as provisioning and role management – areas in
which organizations have traditionally struggled to align technology-driven services with business
requirements. The company has its corporate headquarters in Waltham, Massachusetts, and regional
offices throughout North America. It also has operational headquarters in London, covering the Europe,
Middle East and Africa (EMEA) region, and its engineering division operates out of Bangalore, India and
Waltham, Massachusetts. The company is privately owned, and backed by leading venture capital
firms, including Charles River Ventures, FirstMark Capital, and FTV Capital.
Product description
The Aveksa Access Governance Platform, comprising the Aveksa Compliance Manager, Aveksa Role
Manager, and Aveksa Access Request and Change Manager, is an access control automation and
management solution that focuses on delivering a business and process-centric approach to controlling
and managing access to corporate information resources. The three modules together constitute an
integrated product; each module however has the capacity to deliver its services independently or as
part of an integrated platform solution –

Aveksa Access Request and Change Manager: provides a business interface to a streamlined set of
request and fulfillment processes that incorporate the use of embedded policy controls. It ensures that
when user access requests are made, the access granted is appropriate to the user’s functional role in
the business and in alignment with internal policies and rules, and industry regulatory requirements.

Aveksa Compliance Manager: automates the monitoring, certification, reporting, and remediation of user
entitlements, automating access control services. Aveska also supports use of the inclusive monitoring,
certification, reporting, and remediation services, as well as providing an auditable record.

Aveksa Role Manager: provides role discovery, role modeling, and role maintenance facilities. The
product enables organizations to build and deploy automated processes for governing and managing
user access requests. It is responsible for role management, which includes the maintenance of service
delivery controls and review processes to ensure that the role management configuration remains fit for
its purpose; this includes role maintenance updates, the revocation of redundant roles, and validation
management to reduce complexity and increase operational efficiency.
IDENTITY AND ACCESS MANAGEMENT 2011/12
230
The Aveksa product set is supported by secure, non-invasive, automated collection technology that
enables it to acquire user access data (identities, roles, entitlements, groups and access control lists)
from all available information resources including data, systems, hosts, applications, files, file shares,
and directories. Aveksa aggregates and correlates user access data from multiple resources to provide
a unified view that can be analyzed down to individual usage levels and accumulated to provide a
picture of the entire enterprise.
Aveksa Corporate Headquarters Aveksa EMEA Headquarters
265 Winter Street 211 Piccadilly
Waltham, MA 02451 London, W1J 9HF
USA UK
Tel: +1 (877) 487 7797 (US calls) Tel: +44 (0)20 79179466
Tel: +1 (781) 487 7700 (calls outside the US)
Fax: +1 (781) 487 7707
www.aveksa.com
Beta Systems
Company profile
Headquartered in Berlin, Germany with offices in 18 countries, Beta Systems is an integrated, end-to-end
solutions provider for Document Processing, Compliance, Data Processing, and Security. With a customer
base of 1,300 customers and 3,000 running installations, the company has built a reputation as one of
Europe’s leading mid-sized, independent software providers. Beta Systems was founded in 1983 and has
been a listed company since 1997. The company has 600 employees, including its centers of excellence in
Augsburg and Cologne in Germany, and Calgary in Canada.
Product description
Beta Systems provides products for a wide range of areas of Identity and Access Management. These include:

SAM Jupiter: SAM Jupiter is the company’s user provisioning tool that offers policy-based, user
provisioning and de-provisioning capabilities and automates these tasks, thereby reducing the
operational risk and increasing the level of IT security. The company claims that the SAM Jupiter
Provisioning Server is capable of automating up to 80% of the routine administration tasks that go into
user provisioning. It also offers policy enforcement capabilities along with reporting, auditing, and
delegated administration. The SAM Jupiter agent/agentless connectors enable integration with
applications like MS Exchange, Lotus Domino, and Novell Groupwise, as well as operating systems
from Microsoft, IBM, HP, Sun, Linux, and Novell. Connectors are also available for LDAP, Oracle and
DB2 databases, and Tivoli Access Manager.

SAM Password Synchronization (SAM PS) tool: Authentication is provided through the company’s SAM
Password Synchronization (SAM PS) tool. It provides single-password access to heterogeneous
platforms and applications. Supported platforms include: Windows NT/2000, IBM z/OS, Novell NetWare
(Bindery, NDS), UNIX (Sun Solaris, HP-UX, IBM AIX), LDAP, and SQL Server. AWeb-based self-service
tool, the SAM Password Reset (SAM PR), can be used to reset users’ passwords.

SAM eSSO: SAM eSSO provides enterprise SSO capabilities. It can be integrated with a number of
Windows, Web and legacy applications through agents/XML parameter files to add SSO capabilities to
them. It is built on High Availability (HA) architecture and provides failover capabilities while supporting
hundreds of thousands of users.

SAM Rolemine: The integrated SAM Rolemine (created after acquiring ownership of the Rolemine
product from Swiss partner IPG AG) simplifies the process of role identification and definition by applying
pattern-based analytics to existing organization data and security information from the SAM Jupiter
Repository, and optionally from other repositories. It validates the existing role model and ensures
compliance with organizational policies during an ongoing model review process. It can adapt to
business changes by redefining roles and privileges. It works in conjunction with SAM Jupiter’s role-
based administration features to support a more comprehensive role-lifecycle management.
CHAPTER 8: VENDOR PROFILES
231

Beta Agilizer 4Security: Beta Agilizer 4Security is an administration tool that integrates the management
aspects of all the tools mentioned above as well as all the other security aspects of an organization’s IT
systems. It enables the administration and provisioning of services in existing portals, workflows and
Service Oriented Architecture (SOA) platforms and provides a customizable self-service function that
can be rolled out to end users.
Beta Systems Software AG Beta Systems Software Ltd.
Alt-Moabit 90d Unit 8, Diddenham Court
D-10559 Berlin Lambwood Hill, Grazeley, Reading
Germany Berkshire, RG7 1JS, UK
Tel: +49 (0)30 726 118 0 Tel: +44 (0)1189 885175
Fax: +49 (0)30 726 118 800 Fax: +44 (0)1189 884899
Email: info@betasystems.com Email: info-gb@betasystems.com
www.betasystems.com
BMC
Company profile
BMC Software, founded in September 1980, has grown both organically and by acquisition. Its notable
acquisitions include PATROL in 1994, BGS Systems in 1998, both Boole and Babbage and New
Dimension Software in 1999, Perform SA in 2001, Remedy in 2002, Marimba in 2004, Identify Software
Ltd in 2006, ProactiveNet in 2007, and Tideway Systems in 2009. Its headquarters is in Houston, Texas,
and its international division is based in the Netherlands. It has an extensive network of offices
throughout the world. BMC research and development offices are located in the US, France, Singapore,
Israel, and India. The company is publicly traded on the New York Stock Exchange.
Product description
BMC’s Identity Management Suite consists of an extensive range of identity- and access-based
solutions for organizational users. However, the company has lost its way as a mainstream IAM
provider and now prefers to market its identity management products as components of the BMC
Business Service Management (BSM) offering.
BMC retains the following IAM products:

BMC User Administration and Provisioning provides a Web-based User Administration Management
application and processes, and provisioning of the user accounts on target systems (with 24 different
target systems supported). The automated identity management, allows users to undertake tasks
independently (e.g. self-registration for access to a particular application, or requesting access to
applications via workflow-based processes that can incorporate approval steps). It adopts a self-
service approach that allows costs and delays to be minimized within business processes. It also
supports auditing every action within the identity management suite, including password resets, login
attempts, and requests for access to applications.

BMC Password Management enables passwords and related processes (including resets) to be
managed. Integration with the ‘Remedy Help Desk’ solution allows tickets to be raised, and is often
used to log automatically all password reset requests, and enable users to track the progress of their
reset request.

BMC Audit and Compliance Management is typically used by compliance officers who need visibility
into the organizational identity and access management functions to see which resources and
applications every user has access to, and also view what applications users should not access (often
with reference to users’ roles). It provides the ability to link the audit of access events with the tracking
and trending of access policies, to create a cycle of continual governance and improvement in controls.
Organizations can develop their own policies to manage access to applications and resources, and any
attempted unauthorized actions can be flagged and prevented. A dashboard is provided to give a view
of who has access to what and what each user is doing from an application perspective.
IDENTITY AND ACCESS MANAGEMENT 2011/12
232

BMC Access Management provides role-based access control to Web-based applications and
resources. It uses a single interface to enable administrators to manage access rights for identities.

BMC Federated Identity Manager can relate, and determine the value of, identity information from
different stores, which typically are used by different organizations. It enables users to navigate
seamlessly through different domains of resources. The product supports a broad range of prevalent
standards (SAML, Liberty ID-FF, WS-Federation, and Shibboleth), and may be implemented either
in a closely-integrated fashion with BMC Access Management, or completely independently.
Workflow is available throughout Identity Management Suite, and tasks can involve functions from more
than one of the modules. Workflow tasks are sent to users by automated processes via e-mail, users
therefore do not need a client implementation on their desktop to manage the workflow task.
BMC’s Identity Management Suite solution is strongly integrated with some of the products from BMC’s
BSM portfolio, such as its CMDB; service desk; incident, problem, and change management; and
compliance assurance offerings.
BMC Software, Inc. BMC Software
2101 City West Boulevard Assurance House
Houston Vicarage Road, Egham
Texas 77042-2827 Surrey, TW20 9JY
USA UK
Tel: +1 (713) 918 8800 Tel: +44 (0)1784 478000
Fax: +1 (713) 918 8000 Fax: +44 (0)1784 430581
www.bmc.com
Courion
Company profile
Courion Corporation was founded in 1996, and was among the first companies to bring the self-service
concept to identity management. The company is privately held, and is backed by several premier
venture capital organizations that are part owners. The company has around 100 employees and its
customer base ranges from large enterprises to medium-sized companies, with implementations
ranging from 500 users to 350,000 users (averaging 20,000 users). Customer organizations include
globally recognized names such as Boeing, Office Depot, and GE. Of the Fortune 500 member
companies, over 60 are Courion customers (as are over 20 of the Fortune 100 list). Among its key
customers in the European market are O2, the Belgian bank KBC, GlaxoSmithKline (which has a global
deal with Courion), Switzerland’s Federal Dept. of Home Affairs, Egg Financial, Capgemini, and
PricewaterhouseCoopers. The company has recently moved its headquarters to Westborough, Mass,
and has sales offices in four other US locations, in addition to a UK-based international headquarters
in Manchester, UK.
Product description
Courion’s Access Assurance Suite version 8.0 (formerly known as the Enterprise Provisioning Suite) is
aimed at simplifying user provisioning, role management, access compliance and password
management. It consists of the following products which are usually used together, but can be deployed
separately:

PasswordCourier: an automated self-service password management product that enforces
password policies, and enables users to reset and synchronize their own passwords on enterprise
and Web applications.

AccountCourier: a user provisioning and account management product that allows the definition and
automation of business processes for the complete provisioning lifecycle.

ProfileCourier: a self-service, profile-management utility that enables users to register and maintain
personal data within existing corporate directories and security databases.
CHAPTER 8: VENDOR PROFILES
233

CertificateCourier: an automated provisioning solution for digital certificates, providing self-service
certificate registration and recovery for existing PKI.

ComplianceCourier: automates the review process of user access rights for verification,
management, and reconciliation, pushing accountability out to the most appropriate parties; it also
provides employee policy-awareness testing that integrates with automated provisioning
management. The existing ComplianceCourier capability deals with the ‘Segregation of Duties’
concerns that arise out of the US SOX legislation.

RoleCourier: automates the process of creating and managing roles as well as enforcing a policy-
based role management approach that effectively maps the access rights of user groups to their
corresponding business function.

Sensitive Data Manager: integrates ComplianceCourier with Symantec DLP to enable organizations
discover sensitive data, and capture details of user access to it, to verify if that access is appropriate.

User Activity Manager: a solution that is capable of integrating identity data with reports and alerts
generated by various security information and event management (SIEM) solutions and log file
monitoring. The ability to also monitor user activity allows filtering out and identifying the users
performing inappropriate activities with the accessed data. Courion utilizes a SIEM integration
architecture that is vendor-neutral i.e. it is flexible enough to combine data from any SIEM vendor or
log file.

Compliance Manager for file shares and SharePoint: ensures that all user file access is aligned with
the organization’s security policies and industry regulations. It ranks files according to their risk level,
based on which organizations can profile the user access settings. Administrators can identify user
violations of corporate security policy in SharePoint environments. The solution comes with out of
the box policy definitions, which can also be customized to meet specific requirements.
The company complements its product set with professional services. These services include the
Access Assurance Workshop, Capacity Planning, Identity Mapping, and Self-Service Attainment
programs. Part of the Self-Service Attainment program is a personalized Knowledge Base that
facilitates end-user adoption of self-service applications.
Worldwide Headquarters EMEA Headquarters
Courion Corporation 3000 Aviator Way
1900 West Park Drive, 1st Floor Manchester Business Park
Westborough, MA 01581-3942 Manchester, M22 5TG
USA UK
Tel: 866 COURION / 508 879 8400 Tel: +44 (0)161 2661094
Fax: 508 366 2844 Fax: +44 (0)161 2661393
www.courion.com
Cyber-Ark
Company profile
Founded in 1999, Cyber-Ark is an information security company that specializes in protecting and
managing privileged users, applications, and highly-sensitive information. Cyber-Ark has a customer
base of around 700 global customers, including more than 35% of the Fortune 50 and seven of the ten
largest banks worldwide. Cyber-Ark is headquartered in Newton, Massachusetts, and also has offices
and authorized partners in North America, Europe and Asia Pacific. Cyber-Ark Software is privately held
and backed by venture capitalists, including Jerusalem Venture Partners, Seed Capital Partners (a
SOFTBANK Affiliate), JP Morgan/Chase Partners and Vertex Management.
IDENTITY AND ACCESS MANAGEMENT 2011/12
234
Product description
Cyber-Ark through its Privileged Identity Management (PIM) Suite provides a unified policy-based
solution that provides security monitoring, and management services for privileged user accounts and
their related activities. The suite controls user access to privileged accounts based on user credentials,
monitors and records privileged user sessions, streamlines policy management, integrates with
enterprise systems, and helps organizations adhere to the identity management related audit and
regulatory requirements. Cyber-Ark provides multiple security layers including VPN, file access control,
encryption, authentication, and firewall protection.
The PIM Suite consists of the following modules:

Enterprise Password Vault (EPV): This module uses Cyber-Ark’s patented Digital Vault Technology
to securely manage and automatically change and log all privileged account activities. The module
is capable of supporting a wide range of platforms including over 50 operating systems, databases,
firewalls, network devices, business suites and key systems. EPV allows integration with an
organization’s existing help desk and ticketing systems, and includes a dashboard that allows users
to create personalized views of all managed devices and privileged accounts. EPV provides the
ability to automatically reconcile passwords without any kind of human intervention. In terms of
automatic user provisioning, EPV utilizing the enterprise directory automatically provisions and
manages all privileged account changes.

Application Identity Manager (AIM): This module centrally stores and manages all highly sensitive
user and application passwords from within the Digital Vault thereby eliminating the need for storing
hard-coded embedded credentials in applications, scripts or configuration files. AIM ensures that all
credentials get secured and automatically managed and stored within Application Server Data-
Sources and also supports changing passwords on demand.

Privileged Session Manager (PSM): This module helps capture all user actions in detail, including
keystroke actions and mouse movement. Every action the user undertakes after gaining access to
a target system is monitored and recorded, and user sessions can be viewed later. All recorded
sessions are archived and can be searched and retrieved based on user, system, and date
parameters. The module enables organizations to enforce secure access control and session control
for third-party access. It allows users to log on to the PIM portal using two-factor authentication.

On-Demand Privileges Manager (OPM): A unified solution that enables organizations to monitor as
well as manage super-users and privileged accounts, OPM also provides a centralized reporting
engine that is capable of providing unified and correlated audit logs. All account usage including the
‘root’ users on UNIX can be setup and controlled based on pre-defined granular access control
mechanisms. The module can seamlessly integrate with SIEM products and also with an
organization’s existing enterprise infrastructure.
Cyber-Ark PIM suite utilizes a Central Policy Manager engine that allows automatic management and
enforcement of all privileged account management policies on local or remote networks across the
enterprise, without the need for human intervention.
Corporate Headquarters UK Sales Office
Cyber-Ark Software, Inc. Cyber-Ark Software (UK) Ltd.
57 Wells Avenue Abbey House
Suite 20A 1650 Arlington Business Park
Newton, MA 02459 Theale, Reading, RG7 4SA
USA UK
Tel: +1 (888) 808 9005 or (617) 965 1544 Tel: +44 (0)118 9298430
Fax: +1 (617) 965 1644
www.cyber-ark.com
CHAPTER 8: VENDOR PROFILES
235
Fox Technologies
Company profile
Founded in 2005, FoxT provides Identity and Access Management solutions. The company is privately
held and headquartered in Mountain View, California, with development centers in Sweden and Mountain
View and sales offices in several countries. FoxT serves Global 1000 customers in 32 countries.
Product description
FoxT ServerControl is a role and agent-based solution supported by central policy-management facilities
that improve the security of operating systems in enterprise server environments by strengthening the
controls over privileged-user access. The FoxT security database is the core component of the solution –
it acts as the central repository that holds the entire database of user accounts, credentials, access rights,
encryption keys, host identities, and related data in the managed network. Administrators manage the
repository via either a graphical user interface (GUI), or by using a command-line interface (CLI).
The solution also supports encrypted remote administration through a browser, and administrator
access is restricted to specific named users and to specific hosts from within or outside the controlled
domain. The BoKS Manager provides the security server platform for the FoxT ServerControl. FoxT
Server Agent is the server software that is installed on each UNIX, Linux, or Windows Server host to
provide the solution’s privileged-user protection and security services, ensuring that every user-access
request follows the settings that have been pre-set in the security database.
The FoxT ServerControl functions as follows:
i) When a user attempts to login to an operating system protected by the server agent, the login request
is sent to an available authentication server, either the master or replica server.
ii) Once the server receives the login request, it compares the security database settings to identify the
authorized access route. This specifies how, from where, and when, a particular user or user group is
allowed to access a resource. The client then sends a further request for a user name to the
authentication server. The server agent communicates with the master (or more typically a replica) server
to obtain any additional authentication details that might be required and are held in third-party systems.
Apart from storing all event logs in the master server, ServerControl captures and records all user
actions in detail, including keystrokes, mouse movement, and any other associated input by using its
inbuilt keystroke-logging function. The system also controls the setup and use of configured warning
messages, which are displayed whenever a user violation takes place. The solution supports a variety
of strong third-party authentication solutions to provide additional authentication for data and systems.
The authentication capabilities that can be configured include physical devices such as RSA SecurID
tokens, SafeNet SafeWord tokens, public key technologies such as certificates, PKI smartcards or USB
tokens, secure shell (SSH) Public Key, SSH Host based, and SSH Certificate authentication. The
solution also supports integrated SSH, which is a multi-service protocol that helps establish a secure
encrypted communication channel between two computers.
FoxT ServerControl provides flexible provisioning facilities. It allows administrators to provision user
accounts across multiple servers running on diverse operating systems. The product integrates readily
with existing corporate directories and identity management systems. FoxT ServerControl controls the
central management of access policies (definition and enforcement) across all heterogeneous
environments via a single web-based administration console. A key component of FoxT ServerControl
is the FoxT Password Vault, which is an add-on module that can be installed on the BoKS Manager
Master server. It can be remotely managed and operated from any configured client through an internet
browser. Password Vault enables organizations to manage specific pre-defined privileged accounts,
configure access controls, and manage logouts of multiple similar password sessions.
FoxT ServerControl provides extensive reporting and auditing capabilities, and maintains searchable
logs with details of all user activities. FoxT Reporting Manager, an additional product, can group audit
and compliance reports into a consolidated view of all access-control policies and data across security
domains.
IDENTITY AND ACCESS MANAGEMENT 2011/12
236
FoxT Headquarters FoxT EMEA
883 North Shoreline Blvd. 200 Brook Drive
Building D, Suite 210 Green Park, Reading
Mountain View CA 94043 Berkshire, RG2 6UB
USA UK
Tel: +1 (650) 687 6300 Tel: +44 (0)1189 497664
Fax: +1 (650) 618 0332 Fax: +44 (0)1189 497001
www.foxt.com
Imprivata
Company profile
Imprivata is a prominent vendor in the field of Identity-based user authentication solutions. The
company was founded by experts in the identity management and biometric fields of IT security, and
has worked on and deployed a number of large-scale digital identity and authentication projects.
Imprivata is a private company with funding provided by Polaris Venture Partners, Highland Capital
Partners, and General Catalyst Partners. It has corporate headquarters in Lexington, Massachusetts in
the USA, and also operates out of San Francisco. Internationally, the company has offices in Watford
in the UK, Antwerp in Belgium, Milan in Italy, and in Singapore. The company has over 800 customers.
Product description
The company’s OneSign product is an appliance-based solution that provides authentication, SSO and
physical/logical access capabilities. These capabilities are packaged as individual modules and are
delivered from within the same self-contained appliance, which has a hardened Linux kernel and an
Oracle 10g database, and is purpose built for user authentication.
The Imprivata OneSign appliance has been designed to provide an SSO environment with strong user
authentication when users request access from mobile, remote, and LAN access channels. They can
switch between sessions on concurrent Windows machines. The product is capable of dealing with user
login requests that are initiated using an extensive range of password, biometric, proximity card,
smartcard, USB token, and ID token approaches.
Three main components form the Imprivata OneSign product set, and they collectively provide a single
authentication management solution for securing electronic systems, networks, and applications, as
well as for integrating with authentication events of physical access for buildings. These are:

OneSign Authentication Management (AM): provides a range of network authentication services that
have been designed to enable organizations to improve the security of their systems by moving on
from the less secure passwords. OneSign AM supports the use of strong authentication options such
as smartcards, tokens, proximity cards, and biometrics in order to deliver strong user authentication.
The Imprivata OneSign appliance contains a built-in Remote Authentication Dial-In User Service
(RADIUS) host for remote access authentication, and the solution is supported by a single
administration point-of-control that provides easy deployment and management controls. Furthermore,
the Imprivata OneSign solution supports emergency access authentication requirements that are
aligned with the organization’s access control policies. End users who forget their strong authentication
devices can be granted a controlled number of ‘emergency logins’ per month.

OneSign Single Sign-On: provides application management services to enable setting up each end-
user system and application to be SSO ready. The OneSign Single Sign-On product is able to
achieve this without requiring modifications to be made to any application; the approach instead
involves invoking the use of the Single Sign-On Application Profile GeneratorTM (APG) facility,
which is an internal component of the OneSign Single Sign-On product. This facility is used to build
a sustainable and unique profile for each application in order for SSO access status to be granted.
This module can identify and learn application login behaviour and automatically capture this
information. The solution integrates with leading provisioning systems through a standards-based
Services Provisioning Markup Language (SPML) interface.
CHAPTER 8: VENDOR PROFILES
237

OneSign Physical/Logical: this component provides converged access control security facilities for
organizations to make use of integrated network and building access systems for unified enterprise
security management. Using OneSign Physical/Logical, organizations can create converged
security policies that cover both physical and IT access requirements. This enables organizations to
grant or refuse network access based on a user’s physical location or employee status. It provides
a smartcard and token-agnostic approach that will interoperate with an organization’s existing
physical access systems.
Working using a single common user interface, the Imprivata OneSign appliance delivers high levels of
identity and authentication control. Its integrated appliance platform format provides a number of
advantages such as the common user interface between product components, common workflow
processes, and common reporting services.
Imprivata, Inc. EMEA Headquarters Imprivata, Inc.
10 Maguire Road Forsyth House
Building 4, Lexington 77 Clarendon Road
MA 02421-3120 Watford Herts., WD17 1LE
USA UK
Tel: +1 (781) 674 2700 Tel: +44 (0)1923 813511
Fax: +1 (781) 674 2760 Fax: +44 (0)870 4282554
www.imprivata.com
Passlogix
Company profile
Passlogix was founded in 1996, and was a privately held company until acquired by Oracle in October
2010. It is headquartered in New York City, and has development offices in Amityville, NY, and sales
offices throughout the USA, and in the UK and Hong Kong. The company has customers from a number
of verticals including Manufacturing, Financial Services, Healthcare, Telecom, Retail, Oil/Gas, National,
State and Local Governments and has sold more than 15 million licenses for its v-GO solution.
Product description
The Passlogix v-GO Access Accelerator Suite for Identity and Access Management includes the
following components:

v-GO Single Sign-On: v-GO Single Sign-On Platform is a family of products aimed at providing
enterprise-strength SSO and complementary offerings that provide integration with facilities that
cater to other IAM requirements, such as provisioning, and additional login-related facilities for the
Windows environment. These complementary offerings include v-GO Self Serve Password Reset,
v-GO Authentication Manager, v-GO Provisioning Manager, and v-GO Session Manager.

v-GO On-Demand Edition: the v-GO On-Demand Edition is similar in terms of functionality to the v-
GO SSO; the only difference being the fact that it is accessed from a host Web site. v-GO On
Demand Edition can be administered from outside the installation and enables the end user to
access SSO functionality from anywhere across the enterprise.

v-GO Shared Accounts Manager (v-GO SAM): provides secure access to systems and applications
for administrators, temporary workers, and others who must share account IDs. It enables shared
credentials to be securely stored and retrieved, with the required authorization and usage tracking
to improve security, increase accountability, and reduce compliance exposure.

v-GO Session Manager (v-GO SM): helps avoid security risks that arise from the use of kiosks. It is
designed to cater for mobile users, by providing automated termination of inactive sessions and
application shutdown.

v-GO Provisioning Manager (v-GO PM): handles application credential provisioning automatically; it
provides APIs to integrate automatic provisioning with existing workflows and scripts, and connectors
to integrate with leading provisioning platforms including those from IBM, Sun, BMC, and Oracle.
IDENTITY AND ACCESS MANAGEMENT 2011/12
238

v-GO Universal Authentication Manager (v-GO AM): enables authentication requests to be
supported by a broad variety of smart cards, biometrics, and tokens. Use of multiple authenticators
is supported, including the definition of a fall-back state in the event that one fails. v-GO AM also
defines authentication levels so that application-based rights can be adjusted depending on the
nature of authentication used.

v-GO Self Service Password Reset (v-GO SSPR): provides an additional layer to the normal
Windows logon panel for end users – it extends the panel so that the user can reset his or her own
Windows password. Integration with Windows authentication and administration ensures that this is
controlled within the overall Windows framework.
Headquarters EMEA Office
Passlogix, Inc. The City Arc
75 Broad Street, Suite 815 89 Worship Street
New York, NY 10004 London, EC2A 2BF
USA UK
Tel: +1 (212) 825 9100 Tel: +44 (0)20 79172754
Fax: +1 (212) 825 0326
Ping Identity
Company profile
Ping Identity provides organizations with commercial IAM solutions and is primarily focused on the area
of Federated Identity. Founded in 2002, and headquartered in Denver, Colorado, Ping is a privately held
company and has over 100 employees worldwide. The company also has offices in Boston,
Massachusetts and Vancouver, Canada. Its current customer base is over 350, and includes
enterprises, government agencies, software-as-a-service (SaaS) vendors and online service providers
worldwide.
Product description
Ping Identity’s software comprises of products that cater for the various Federated Identity Management
standards (SAML, Liberty ID-FF, and WS-Federation), and the CardSpace authentication module. Ping
Identity has two key solutions namely: PingFederate and PingConnect, and both these solutions help
organizations overcome IAM related issues for their SaaS implementations.
PingFederate provides organizations with a standards-based software solution that enables
management of all external identity connections. Supported connections could range across customers,
SaaS or BPO providers, partners, affiliates, etc. The solution helps organizations to implement web
SSO and identity-enabled web services connections. It also provides multi-protocol support and
automated user provisioning capabilities. The key capabilities of PingFederate include:

Web SSO – PingFederate allows users to sign on only once at the primary network access point.
Based on this users can seamlessly achieve access across other authorized web-based business
applications without necessarily requiring additional password authentication. PingFederate also
automates internet user account setup, update, and removal services, with the intention of
eliminating unauthorized access. Its Advanced Security Token Service capabilities are used to
enhance identity sharing across security domains in a secured manner. PingFederate also supports
identity mapping, account mapping and account linking. PingFederate also provides flexible,
integrated support for all versions of the SAML protocol (1.0, 1.1 and 2.0), as well as WS-Federation.

User Provisioning – PingFederate has the capability to directly integrate with all existing corporate
directories to automate the lifecycle elements of account creation, updating, and deletion.
PingFederate allows administrators to control identity management through the GUI-based
administration console. The console can be accessed by users based on their roles, thus limiting certain
specific tasks to selected users. Authenticated access to the Administrator Console can be configured
by directly linking with the LDAP data store and can optionally be secured using X.509 certificates.
CHAPTER 8: VENDOR PROFILES
239
PingConnect – The PingConnect solution manages the integration of an organization’s existing user
identities, which are typically within Microsoft’s AD, or another LDAP repository, with any of over 60
leading SaaS offerings (e.g. Salesforce CRM, Google Apps, ADP, Cisco WebEx, Rearden Commerce,
and Concur). PingConnect is cloud-based and, very importantly, provides dynamic integration with the
main identity source (whether this is on AD, another LDAP source, Google, or salesforce.com). This
means that no replication of the customer organization’s user identities is required (avoiding privacy
issues), new users can gain access instantaneously, and users leaving the organization are
immediately prevented from continuing to use their access rights. A user’s log-on from salesforce.com
or Google can also be the key used to access these services, a feature that is especially helpful for
smaller organizations, many of whom have adopted SaaS-based offerings as their main IT platform for
significant business processes such as sales and collaboration.
Denver (Headquarters) Boston
1099 18th Street 230 3rd Ave
Suite 2950 6th Floor
Denver, CO 80202 Waltham, MA 02451
USA USA
Tel: +1 (303) 468 2900 Tel: +1 (781) 373 4850
Fax: +1 (303) 468 2909 Fax: +1 (781) 547 4017
www.pingidentity.com
Pirean
Company profile
Founded in 2002, and headquartered in United Kingdom, Pirean delivers technology partnerships and
consultancy services for Infrastructure, Service and Security Management platforms utilizing IBM
technologies. The company is privately held and has 70 employees. Pirean is ITIL compliant, with all
staff qualified to ITIL foundations level; the company also has accredited consultancy status with the
British Standards Institute (BSI). Pirean’s accolades include the IBM ‘Business Partner Innovation
Award’ (2008) ‘Beacon Award Finalist – Outstanding Service Management Tivoli Solution’ (2009) and
the IBM Tivoli Business Partner Service Management Solution Award (2010).
Product description
Pirean’s Access: One provides identity, access and audit management for multiple systems, infrastructures
and security services.
Access: One is a zero-touch user management system for seamless integration with the existing user
repositories and access controls. It removes the need for organizations to provision and synchronize
with a separate access management module. Access: One also supports a range of authentication
mechanisms and user repositories, including support for real-time user authentication, irrespective of
the number of multiple authentication sources required (for example multiple AD occurrences and
Windows Domains). It supports the management of all authentication and authorization definitions and
policies through a centralized management console. The product also allows organizations to add SSO
capabilities which can be strengthened through a range of additional secure, multi-factor authentication
mechanisms. The Access: One solution also supports extending Tivoli Access Manager (TAM)
infrastructures across other IAM solutions such as ActivIdentity, Cryptomathic, Entrust, Gemalto, RSA,
Vasco, and VeriSign utilizing out-of-the-box accelerators.
Compliance: One is a continuous controls monitoring solution. It is largely seen as a solution that can
be used to extend IBM TIM deployments for large scale production environments, as it provides
automation of all business controls. Pirean claims that the company is the most accredited IBM Tivoli
business partner and its Access: One product is available ready for all IBM Tivoli implementations.
Compliance: One complements Access: One deployments, and consists of a risk-based framework and
an attestation engine that allows organizations to flexibly and readily monitor and manage all user
access rights across the enterprise.
IDENTITY AND ACCESS MANAGEMENT 2011/12
240
Compliance: One allows application access roles to be defined, and provides an easy-to-use interface for
handling access rights, certification tasks, and SME-based certification. The product also provides
organizations with the ability of generating reports on user access data. It is also capable of identifying
those accounts to which there is no associated owner and marks them as high risk which can result in the
initiation of a quarantine workflow and account de-provisioning. Using the product’s rules engine allows
organizations to implement a risk scoring framework to support access and user provisioning decisions.
Hampshire (Head Office) London Office
Pirean Limited Pirean Limited
Faretec, Cams Hall Estate One Canada Square
Fareham, Hants, PO16 8UY London, E14 5DY
UK UK
Tel: +44 (0)845 2260542
Fax: +44 (0)845 2262742
Red Hat
Company profile
Red Hat is a provider of open source software solutions for enterprise. These include the core enterprise
operating system platform – Red Hat Enterprise Linux; the enterprise middleware platform – JBoss
Enterprise Middleware; virtualization solutions, and other Red Hat enterprise technologies. The company
operates primarily in the US, is headquartered in Raleigh, North Carolina and employs 2,800 people.
Red Hat made a series of acquisitions before entering the IAM marketplace; these include Netscape’s
Directory Server and Certificate System from AOL in 2004, based on which Red Hat open sourced the
directory server in 2005 and the certificate server in 2008. These two projects form the foundation of
the FreeIPA (identity, policy, audit) project, launched in June 2007 and are responsible for building the
community edition of Red Hat Enterprise IPA (RHE-IPA), which was launched in June 2008, with the
core objective of building a full grown IAM solution.
RHE-IPA’s launch overlapped with another acquisition; this time of the identity integration provider –
Identyx, and the open sourcing of RHN Satellite. RHE-IPAis focused on providing a holistic IAM solution
that covers both Web-based systems (such as a customer-facing portal) and Operating Systems. From
an OS point of view, it aims to replace the standard Network Information Service (NIS) Unix tool (to
manage user, group and machine authentication and authorization), hence the acquisition of Identyx,
whose open source Penrose virtual directory helps users to migrate from NIS to the more robust,
feature-rich (and revenue generating) RHE-IPA. Penrose helps to identify and resolve conflicts and
enables a phased migration rather than a ‘big bang’ approach.
FreeIPA’s initial version was focused on pure identity management and authentication. It consisted of an
MIT Kerberos 5 server combined with a Fedora directory server back-end to set up a centralized identity
management solution, using the directory as the username and password store and Kerberos for
authentication and SSO. RHE-IPA also included features such as multi-master replication and support for
online backups, updates and configuration changes to ensure that RHE-IPA services are available on a
24×7 basis. FreeIPA reached version 1.2.1 in December 2008; and its next release (Version 2.0) is aimed
at enabling administrators to centrally manage a broad set of functionalities (such as access control policy,
SE Linux policy, etc.) and apply different policies based on machine group, location, user and more.
Version 2 will also focused on delivering support for delegated administrator controls and centrally
managed system lockdown state. For auditing, this version is expected to provide organizations with the
ability to centrally collect and analyze logs and events and extract management and compliance data.
Product description
Red Hat’s venture into the identity and access management arena is based on the FreeIPA (Identity,
Policy, and Audit) also known as Red Hat Enterprise-IPA offering. FreeIPA is basically a Red Hat
sponsored open source project that helps organizations manage identity, policy and audit (IPA) information
through its integrated suite. It is primarily targeted towards networks of Linux and UNIX computers.
CHAPTER 8: VENDOR PROFILES
241
Red Hat Directory Server: is an LDAP-compliant server that helps centralize all user profiles, group
data, policies, access control information, and related application settings, under a single network-
based registry. This single repository store of all policies and access information ensures that
administrators can rely on a single directory and single authentication source for all user access across
enterprise or extranet applications. The Directory Server supports SSO access and also provides
support for 64-bit Red Hat Enterprise Linux, HP-UX and Solaris platforms.
Red Hat Certificate System: provides a security framework that works towards managing certificate
creation, renewal, suspension, and revocation activities. It also manages single and dualkey X.509v3
certificates that are required to handle strong authentication, SSO, and secure communications. The
Red Hat Certificate System functions as an authentication system that helps organizations manage
user access to resources and data. The Certificate system supports deploying and maintaining a PKI
that helps manage user identities in an effective manner. The system can also integrate seamlessly with
third-party security software and existing applications through published APIs.
FreeIPA/RHE-IPA are Linux- and Unix-centric, which somewhat limits their appeal among end-user
customers. In terms of provisioning, while Version 1 of the product provides basic Microsoft AD
synchronization (user identity information and, optionally, password); Version 2 will enable identity
management and authentication from one environment. Merging the product with Penrose also makes
it even more flexible for RHE-IPA to deliver a unified view of identity across multiple sources, including
LDAP, NIS, AD and other databases. The offering also links with JBoss workflow technology,
strengthening its overall ID provisioning capabilities.
Red Hat Corporate Headquarters Red Hat EMEA Headquarters
1801 Varsity Drive Technopark II, Haus C
Raleigh, North Carolina 27606 Werner-von-Siemens-Ring 11-15
USA 85630 Grasbrunn, Germany
Tel: +1 (919) 754 3700 Tel: +49 89 205 071 0
Fax: +1 (919) 754 3701 Fax: +49 89 205 071 111
www.redhat.com
SailPoint Technologies
Company profile
SailPoint provides identity governance solutions. Founded in December 2005, the company is privately
held and is headquartered in Austin, Texas. Its investors include Austin Ventures, Lightspeed Venture
Partners, Origin Partners, and Silverton Partners. Its customers include Global 1000 and Global 500
companies including five of the world’s top 10 banks, three of the industry’s top insurance companies,
two of the top three managed-healthcare providers in the US, and some of the largest consumer,
manufacturing, and telecom companies in the world. Reference customers include ABN Amro, Allianz
SE, Brightstar, Burlington Northern Santa Fe Railroad, Citizens Bank, Intuit, and Tokyo Electron.
Product description
SailPoint Identity IQ v4.0 is a risk-based identity-governance solution for managing user access to
critical business systems and the data that they contain. It uses a single-repository approach, to
consolidate identity and access data into a single location, and provides extensive reporting services.
Associated capabilities include the formalization and automation of key identity and access
management processes such as access certification, role management, access request management,
and compliance management. Also included are tools for modeling the organizational hierarchy and for
defining roles that will be used to classify access rights.
SailPoint IdentityIQ comprises four key components:

IdentityIQ Identity Intelligence: facilitates the transformation and consolidation of all technical and
application-specific identity data items into a form that is suitable for business users. It allows
organizations to link their application-specific identities and access privileges. The dashboards can
be further customized to enable authorized users to access reports according to identity-related
metrics. The Identity Intelligence module also provides risk analytics and monitoring capabilities.
IDENTITY AND ACCESS MANAGEMENT 2011/12
242

IdentityIQ Compliance Manager: delivers automated compliance processes and is an integrated part
of the solution’s risk services. Two key sets of tasks can be executed through the Compliance
Manager: the automation of processes and the receipt of reports and alerts related to the compliance
status of the organization and all related systems-usage activity. Importantly, Compliance Manager
is used to define and enforce policies that are based on organizational needs as opposed to
technology constraints; the Compliance Manager automatically scans and detects policy violations
and supports defined separation-of-duty policies based on roles and access privileges.

IdentityIQ Role Manager: provides automated role lifecycle management. It enables a defined,
automated, and technology- and application-agnostic approach to the creation, modification, and
deactivation of roles.

IdentityIQ Access Request Manager: centralizes the management of all access requests by
providing a workflow-based self-service interface that automates the approval process once a
request has been submitted. IdentityIQ self-service interfaces provide business users with a filtered
option that allows them to modify or request certain types of access according to roles and policy.
IdentityIQ uses its aggregation and correlation engine to associate and bring together all linked data
using a rules system, which stores the data in ‘identity cubes’ – a multi-dimensional representation of
each user offering insight into their attributes, business roles, and access rights. The aggregated data
is used to build a complete organizational picture of who has access to which systems and applications,
and the levels of access provided for each application.
The solution defines risk levels for every user based on their access rights and how they are being
used. For example, a user with privileged access to applications that hold identifiable customer or
account information could be flagged as a high-risk user. IdentityIQ also provides a graphical user
interface for defining roles that is equipped with modeling tools to map complex organizational
hierarchies and other business structures. The volume of business and user-relevant information
available through reports is extensive, and the its Business Context Framework extends its reporting
facilities to provide an entitlement glossary and usage tips.
SailPoint Technologies Inc. SailPoint Technologies Inc.
US/Corporate Headquarters European Headquarters
6034 W Courtyard Drive 145-157 St John Street, 2nd Floor
Suite 309 Austin London
Texas 78730 EC1V 4PY
USA UK
Tel: +1 (512) 346 2000 Tel: +44 (0)845 2733826
Fax: +1 (512) 346 2033
Email: info@sailpoint.com
www.sailpoint.com
SAP
Company profile
SAP is a recognized leader in the enterprise application market, having established its reputation on the
back of its integrated R/3 Enterprise Resource Planning application suite. It is headquartered in
Walldorf, Germany, and was founded in 1972. The company has sales and development locations in
over 50 countries, and approximately 51,000 staff serving around 82,000 customers in 120 countries.
Although SAP states that over 80% of Fortune Global 500 enterprises use its products, and large
enterprises form a substantial part of its market, the company is increasingly targeting the mid-market.
SAP is known for its process expertise, particularly in vertical industries, and has solutions for 25
different industries ranging from aerospace and defense to wholesale distribution. SAP is a publically
listed company trading on multiple exchanges including the Frankfurt Stock Exchange and the New
York Stock Exchange under the “SAP” symbol.
CHAPTER 8: VENDOR PROFILES
243
Product description
The NetWeaver Identity Management suite (SAP NetWeaver IdM) is SAP’s solution for managing user
access across applications and for monitoring adherence to audit and compliance requirements. SAP
NetWeaver IdM uses a role-based mechanism for provisioning users, and also supports all related
processes such as password management, self-service, and approvals workflow. All of SAP NetWeaver
IdM’s capability is delivered as an integrated, open platform component which easily facilitates all of the
access and identity information that is appropriately linked with systems, web services, and business
processes. Also, the product is capable of working not just with SAP applications – it integrates with
systems and applications across a heterogeneous landscape.
The major capabilities of SAP NetWeaver Identity Management include:

Identity virtualization – provides an integrated, unified view of all users’ virtual identity, allowing
organizations to leverage existing identified identity information and access rights across the entire
network.

Data synchronization – ensures that if the user makes any changes to key information in one
application, this is transformed and propagated accordingly to all other related applications as well,
thus ensuring data consistency.

Provisioning, workflow, and approvals – is driven by business rules and definitions of associated
policies. It aligns with access controls and maintenance of user access rights across the systems.
SAP NetWeaver Identity Management streamlines the user provisioning process across SAP as well
as other third-party applications through a certifiable connector framework. This connector-based
framework enables the product to support LDAP directories and JDBC databases, it supports
applications such as Microsoft AD, Microsoft Exchange, and IBM Lotus Notes. SAP Netweaver IdM
uses a workflow module that enables organizations to set up workflows for all account management
activities which includes account creation, modification, deactivation, and deletion.

Password management – is key feature of SAP Netweaver IdM, it provides self-service software that
allows users to manage their information through a centralized location for all connected target
systems. It also supports self-service password reset and password synchronization capabilities.

Roles and entitlements – SAP NetWeaver Identity Management offers role-based access control
based on the NIST RBAC standards. Roles are assigned in alignment with business processes and
users can be assigned roles and privileges which enable secure access to various systems.

Reporting and auditing – the product provides centralized reporting services. These enable users to
produce reports based on current access and past events. The reports enable organizations to
handle compliance, audit, and related initiatives.
All product activities are managed centrally through the identity console, and NetWeaver IdM also
includes a Web-based Workflow user interface that allows users to reset their password and perform
other self-service activities. The solution also has a monitoring interface allows administrators to
monitor logs and queue processing. It provides the ability to integrate with SAP Business Suite
applications as well as SAP Business Objects GRC solutions.
SAP provides advanced identity management functionality services that are completely based on web
services standards. They provide a standards-based single access point for users to query and manage
identity information.
SAP AG – Parent Company SAP (UK) Limited
Neurottstrasse 1569190 Clockhouse Place, Bedfont Road
Walldorf, Germany Feltham, Middlesex, TW14 8HD, UK
Tel: +49 6227 7 47474 Tel: +44 (0)870 6084000
Fax: +49 6227 7 57575 Fax: +44 (0)870 6084050
Email: info@sap.com Email: info.uk@sap.com
www.sap.com
IDENTITY AND ACCESS MANAGEMENT 2011/12
244
Sentillion
Company profile
Sentillion Inc. provides identity and access management solutions primarily for healthcare
organizations. It has systems deployed in local, regional, and national healthcare organizations
including clinics, community hospitals, federal healthcare facilities, and academic teaching institutions.
In February 2010, Microsoft acquired Sentillion. All Sentillion’s products have since been added to the
Microsoft’s portfolio of health solutions and the team has been merged into the Microsoft Health
Solutions Group. The Sentillion team will however continue to operate out of its offices in Andover,
Mass., to sell and support its product line while Microsoft will be developing long-term evolution plans
combining the two product lines. Sentillion’s context management and SSO technologies will be
combined with the Amalga Unified Intelligence System – a real-time data aggregation solution, to
enable Microsoft to give clinicians a real time insight into patient information.
Product description
Sentillion solutions provide SSO, user provisioning, clinical workstations and virtualized remote access.
Sentillion’s expreSSO is an appliance-based SSO solution developed specifically for the healthcare
sector. It offers out-of-the-box integration options with common applications within the healthcare
sector, and offers wizard-driven application connectors to enable integration with other third-party
applications. It automatically imports user identity data and provides ongoing synchronization with
enterprise directories like LDAP and AD. A centralized administration console leverages agent-based
technology to sense when applications are launched and generates events and audit trails that
encapsulate user activity around these applications. expreSSO offers tight integration with Sentillion
Tap & Go, a tool that leverages proximity cards to provide secure two-factor authentication. This means
that users can swipe their company ID cards against a card reader, and combine with it a biometric or
password-based authentication device that has a validity period, to gain access to areas of the
clinic/hospital that they are authorized to enter. Once the validity period expires, it can be reset through
expreSSO to continue to get access to protected areas.
Sentinel proVision is the company’s provisioning tool developed specifically for the healthcare sector. It
offers capabilities to simplify the task of provisioning users with access to computer resources. It
supports healthcare-specific applications such as Computerized Physician Order Entry, Picture
Archiving and Communications System, and their portals; administrative applications such as billing
and enterprise directories; and personal productivity applications such as e-mail.
The Sentillion IdMPOWER Community is a member community for users of the Sentillion range of
products and provides access to an online knowledge base of best practice deployment options,
troubleshooting guides, FAQs and articles. The IdMPOWER Community also contains an open source
bridges library that provides a number of software adapters for healthcare applications that are not
supported out-of-the-box by Sentillion.
Headquarters UK Office
Sentillion, Inc. Sentillion Limited
40 Shattuck Rd. 3000 Hillswood Drive
Suite 200 Hillswood Business Park
Andover Chertsey, Surrey
MA 01810 KT16 0RS
USA UK
Tel: +1 (978) 689 9095 Tel: +44 (0)845 0570302
Fax: +1 (978) 688 2313 Fax: +44 (0)845 0570312
www.sentillion.com
CHAPTER 8: VENDOR PROFILES
245
Siemens
Company profile
Siemens IT Solutions and Services, a subsidiary of Siemens, provides a wide range of IT services from
consulting to system integration, IT infrastructure management, and software engineering to industry-
specific IT solutions. Siemens IT Solutions and Services acts as a shared-services center for the Siemens
group, running projects with its parent’s core vertical units – manufacturing/industry, energy/utilities and
healthcare – and also continues doing business with external clients outside these sectors.
Product description
Siemens IT Solutions and Services, through its DirX product suite provides a set of IAM solutions . The
DirX product suite consists of the following components:

DirX Identity: aimed at automating user and rights management, DirX Identity integrates user and
role management, real-time provisioning, Web-based user self-service, request and approval
workflows, password management, metadirectory as well auditing, and reporting functionality. User
provisioning and access rights management activities are handled through policy engines backed by
centralized role management support. The component also provides user organizations with a
centralized Java-based graphical user interface (GUI) that allows administrators to configure and
manage users and services including roles and policies, integration, synchronization, and workflow
activities.

DirX Audit: this product provides a centralized user interface that centrally and securely stores,
analyzes, correlates, and reviews all identity related audit logs, which can be used later by auditors
or security compliance officers to generate reports or perform statistical analysis. DirX Audit is made
up of the following components: DirX Audit collectors – which collects all generated audit logs from
various sources; DirX Audit Server – a centralized server that transforms, augments, and stores all
audit logs onto the DirX audit store; DirX Audit database – which centrally stores all audit logs; and
DirX Audit Manager – a Web-based user interface that provides access to the DirX Audit database
for auditors, users, and security officers. The module provides pre-configured reports based on
Jasper Reports technology, and also allows users to download the Jaspersoft iReport technology
and customize it to generate reports that meet their specific needs.

DirX Directory: acts as an identity store for the storage of all identity credentials and allows
employees, customers, trading partners, subscribers, and other e-business entities, to access them.
The directory is also capable of centrally storing and managing other credentials such as public keys
for a public key infrastructure (PKI), and is compliant with standards such as LDAP, X.500, and
DSML. The module provides control over user authentication and access to identity data and can be
defined down to the level of individual attributes in entries. Users can access the directory through
web browsers, using the DirXweb for JSP Technology applications; via SOAP/DSMLv2 compliant
clients over the DirX DSML server; through any LDAP client and LDAP-enabled application; using a
command-line administration interface; and from a Java-based management client called DirX
Manager.

DirX Access: This module integrates access management, entitlement management, identity
federation, web services security, and web SSO (WSSO) in order to protect web applications and
web services from unwanted access. While, all user access is controlled by enforcing centrally
managed role-based business security policies, DirX Access also supports the SSO authentication
model. The module is based on a service-oriented architecture (SOA) and provides support to all
relevant standards for authorization, federation, provisioning and web security with XACML, SAML,
and SPML. The product through its reporting interface allows administrators to obtain reports in .pdf
formats based on system, role hierarchy, role/policy association, user/role association, and
organizational hierarchies – thereby supporting audit and reporting regulatory compliance initiatives.
Siemens IT Solutions and Services also provide professional services for assessing customer needs
and offer tailor-made solutions for their IAM needs. These services include project consulting, analysis
and planning, solution implementation, maintenance, and training.
IDENTITY AND ACCESS MANAGEMENT 2011/12
246
Corporate Headquarters
Siemens Aktiengesellschaft
Wittelsbacherplatz 2
80333 Munich
Germany
Tel: +49 89 636 00
Fax: +49 89 636 34242
www.siemens.com
WSO2
Company profile
WSO2 is a provider of an open source Service Oriented Architecture (SOA) platform based on the Open
Services Gateway initiative (OSGi) component model. The company’s SOA offering provides tools for
service creation, service connection, service composition, and SOA Governance, as well as an
Enterprise Service Bus (ESB) for connecting services. Headquartered in Mountain View, California,
USA, WSO2 also has offices in Emsworth, UK, and Colombo, Sri Lanka. WSO2 is a privately held
company, it was founded in August 2005 after having received Venture Capital (VC) funding from Intel
Capital. The company now has 75 employees worldwide, the majority of which are developers based
out of the Research and Development centre in Colombo. WSO2 is a key contributor to international
standards organizations such as World Wide Web Consortium (W3C), Open Architecture for Accessible
Services Integration and Standardization (OASIS), OpenID Foundation, Microsoft’s Interoperability
Vendor Alliance, Advanced Message Queuing Protocol (AMQP) Working Group, and oCERT.
Product description
The WSO2 Identity Server is specifically focused on handling issues around identity and entitlements
management in an SOA environment. Its Identity Server is an open source identity and entitlement
management solution that aims to address the issue of identity and entitlements in an SOA
environment. The solution offers the ability to issue managed information cards which are backed by
user name and password and a XACML engine to handle fine grained authorization. Registered users
can download managed information cards against their accounts, and the information contained within
these cards can be used to validate the service requester who makes a claim to access services.
WSO2 Identity Server offers support for the CardSpace default claim set as well as OpenID for multi-
factor authentication. An inbuilt audit trail and activity log shows user activities over published
resources. The Identity Server’s management console provides administrators with a dashboard for
monitoring user accounts and issuing information cards and/or OpenID tokens.
WSO2 Identity Server supports XACML 2.0 services and provides policy based fine grained
authorization by allowing XACML policies to be defined within the WSO2 Identity Server’s Policy
administration point. WSO2, utilizing the ESB as a policy evaluation point enforces runtime governance
on services by tracking the access policy from the identity server’s policy decision point through an
entitlement mediator. The key components and functionalities of WSO2 Identity server are as follows:

User manager component – decouples user attribute handling from the upper layers to facilitate
claim based access onto the underlying user store.

Security Token Service – helps organizations issue claim-based Security Tokens, as well as map all
associated user attributes that enables identity federation.

Identity Provider – allows flexible handling of all Information Card and OpenID based logins.

XACML engine – drives all authorization decisions based on policies.
WSO2 Identity Server allows central management of all administrative configuration activities through
its management console. It can be deployed over AD/LDAP/JDBC existing user stores and is also built
with the aim of easily fitting into an existing SOA environment. WSO2 Identity Server is provided under
the open source Apache license.
CHAPTER 8: VENDOR PROFILES
247
WSO2, Inc.
800 West El Camino Real Suite
180 Mountain View
CA 94040
USA
Tel: +1 (408) 754 7388
Fax: +1 (408) 689 4328
www.ws02.com
IDENTITY AND ACCESS MANAGEMENT 2011/12
248
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 9:
Glossary
Butler Group
Incorporating
OVUM
CHAPTER 9: GLOSSARY
251
Access control
Controls which systems authorized users can visit and what they are allowed to do once there.
Access control list (ACL)
A table that controls what access rights each user has.
Analytics
Programming, technology-related processes and business-related processes that gather, store and
interrogate data to enable informed decisions to be made.
The American National Standards Institute (ANSI)
An organization that develops and maintains technology standards in the US.
Application server
A layer of software that provides a scalable link between web applications and back-end applications,
and typically offers features such as security, clustering and failover, and load balancing.
Application programming interface (API)
An approach that enables application programs to make requests to an O/S or to another program.
Authentication
The identification of prospective systems users and a method for determining if someone or something
is who or what they claim to be.
Authorization
The provision of control over what authenticated users can do.
Business-to-business (B2B)
How a business communicates with other businesses, such as partner companies.
Business-to-consumer (B2C)
How the business communicates with its customers.
Business-to-citizen (B2Cz)
How organizations (in this case, normally government-based organizations) communicate with citizens.
Biometric Application Programming Interface (BAPI)
The interface between API and a physical biometric device.
BioAPI
An open API standard to exploit biometric authentication.
Business Process Execution Language (BPEL)
An XML-based specification with its origins in IBM’s WSFL and Microsoft’s XLANG standard.
Certificate authority (CA)
Responsible for the distribution and management of digital certificates.
Cloud computing
A term that is often used to describe computing resources that are accessed over the Internet.
Circle of trust (CoT)
A description of the trust component for federated identity. A group of trusted service providers that
share linked identities and have negotiated relevant agreements on how to work together.
Data Encryption Standard (DES) and Triple DES/3DES
Standard industry recognized methods of data encryption using a secret key.
Data Loss Prevention (DLP) technology
Technology solutions that are designed to monitor, detect and prevent the unauthorized movement of
information from business systems.
Demilitarized zone (DMZ)
A DMZ refers to the part of an organization’s network that exposes its services to the outside world,
usually through the Internet (NB: the term “services” is not necessarily restricted to the SOA context,
but can refer to any applications made available to the outside world). A DMZ is normally (but not
necessarily) implemented between a pair of firewalls. The outer firewall allows through traffic from the
outside world to the DMZ where components such as proxies and routers will reside. The inner firewall
only allows verified network traffic to be passed to the sensitive internal network.
Domain Name System (DNS)
DNS is the method the Internet uses for translating an IP address to a physical server.
Directory Services Markup Language (DSML)
Links directory services with XML-based services and provides the ability to denote directory details in XML.
Enterprise Web 2.0
Describes a fresh, and some would say new, approach to the design and provision of business
applications that incorporates aspects such as social networking, collaboration and real-time
communication. It focuses a great deal of attention on the user’s “experience”.
EMV 2000
The Europay MasterCard Visa specification for payment systems.
Enterprise Resource Planning (ERP)
A software suite that aims to support all the core functions of an organization, including areas such as
inventory control, accounting, production, logistics and human resources in an integrated whole,
providing a tied-together enterprise.
Extranet
A private network that uses Internet technology and the public telecommunications system to securely
share part of a business’s information or operations systems.
ESSO
Enterprise single sign-on.
FIPS
Federal Information Processing Standard.
File Transfer Protocol (FTP)
A standard Internet protocol that is the simplest way to exchange files between computers on the
Internet.
GSM
The standard global system for mobile telecommunications.
GRC
Governance, Risk and Compliance.
Graphical user interface (GUI)
A GUI is a graphical (rather than purely textual) user interface to a computer.
Health Insurance Portability and Accountability Act (HIPAA)
A standard for electronic data interchanges in the US healthcare sector.
Hardware security module (HSM)
A highly secure device that enables organizations to protect and manage passwords.
Homeland Security Presidential Directive (HSPD)
This directive addresses the problem of inconsistent and potentially insecure forms of identification.
Hypertext markup language (HTML)
A markup language designed to display material in a browser. As with XML, it consists of a series of
tags, but unlike XML, it contains information about the way in which text is displayed, and does not
describe data.
Identity Federation Framework (ID-FF)
The Identity Federation Framework provides a method for SSO and linking different user accounts
found within the circle of trusted service providers.
IDENTITY AND ACCESS MANAGEMENT 2011/12
252
IdF
Identity Federation.
Identity Services Identity Specifications (ID-SIS)
An assortment of specifications for services enabled by ID-WSF.
Identity Web Services Framework (ID-WSF)
This allows for identity-based web services with the provision of permission-based sharing of user
attributes, identity-based service discovery, user security profiles and the ability to employ different
client types.
Internet Protocol Security (IPSec)
A security protocol that provides authentication and encryption over the Internet.
Integrated Services Digital Network (ISDN)
An international communications standard for sending voice, video and data over digital or normal
telephone lines.
ISO
The International Organization for Standardization, a global body made up of over 140 national
standards bodies, with the objective of promoting the development of standardization worldwide.
Internet service provider (ISP)
Provides businesses and consumers with access to the Internet.
Information Technology Infrastructure Library (ITIL)
A globally recognized collection of best practices for IT service management.
Java EE (formerly J2EE: Java Platform, Enterprise Edition)
Defines the standard for developing multi-tier applications using Java. Java EE simplifies enterprise
applications by basing them on standardized modular components, by providing a complete set of
services to those components, and by handling many details of application behavior automatically,
without the need for complex programming.
Java Message Services (JMS)
An API messaging standard that allows Java EE application components to create, send, receive and
read messages.
Kantara Initiative
An organization that took over from the Liberty Alliance. Its role is to help the identity community to
develop actions that will ensure secure, identity-based online interactions, and at the same time,
prevent the misuse of personal information. Its goal is to ensure that networks can be privacy protected
across trustworthy environments.
Kerberos
Secure authentication methodology, bundled with most operating systems that utilize the private key
method functioning at the application layer, issuing authentication tickets, allowing users to access
services without being questioned.
Lightweight Directory Access Protocol (LDAP)
A software protocol enabling anyone to locate organizations, individuals and other resources such as
files and devices in a network, whether on the Internet or on a corporate Intranet.
Middleware
A general term for any programming that serves to “glue together” or mediate between two separate
and usually already existing programs. A common application of middleware is to provide programs
written for access to a particular database with the ability to access other databases.
.NET
Microsoft Technology, comprising the .NET framework, which includes the .NET object library, and the
.NET Common Language Runtime (CLR). The CLR is equivalent to the combination of Java Virtual
Machine (JVM) and Java EE Application Server in Java technology.
Network Access Control (NAC)
NAC is a method for improving the security of a proprietary network by restricting the availability of
network resources to endpoint devices that comply with a defined security policy.
CHAPTER 9: GLOSSARY
253
Organisation for the Advancement of Structured Information Standards (OASIS)
A non-profit international body that aims to generate interoperable industry specifications.
Open Database Connectivity (ODBC)
An open standard API for accessing a database.
OS
Operating system.
OTP (One-time password)
The type of secure one-time code that can be generated using hardware devices such as tokens and
smartcards, or through the use of software.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a set of policies and procedures to improve the security of credit, debit and cash card
transactions and also to protect against identity theft.
Personal identification number (PIN)
Credit or debit card secure authorization code.
Public Key Infrastructure (PKI)
Enables users of a basically insecure public network such as the Internet to securely and privately
exchange data and money through the use of a public and a private cryptographic key pair that is
obtained and stored through a trusted authority.
Portal
A type of web “supersite” that provides a variety of controlled business and consumer services,
including web searching, news, white and yellow page directories, email, discussion groups, online
shopping and links to other sites.
Registration authority (RA)
Captures and authenticates the identity of a user and submits a request for a certificate to the CA.
Remote Authentication Dial-In User Service (RADIUS)
An access verification method, which uses a challenge/response method for authentication.
Radio-Frequency Identification (RFID)
An automatic identification method, relying on storing and remotely retrieving data using devices called
RFID tags or transponders.
Return on investment (ROI)
A term used to describe how much of a return, usually profit or cost-saving, results from a completed
business task, in relation to the original investment made.
RSS feeds
An XML-based approach to the distribution of web content.
Software as a service (SaaS)
A software distribution model in which applications are hosted by a service provider and made available
to customers over the Internet or other selected channels.
Signatures and Authentication for Everyone (SAFE)
An identity validation and interoperability federation.
Security Assertion Markup Language (SAML)
Enables the interchange of authorization information between partners.
Simple Authentication and Security Layer (SASL ) protocol
A method for adding authentication support to connection-based protocols.
Small and medium enterprises (SME)
A generic description of mid-market organizations.
Simple Mail Transfer Protocol (SMTP)
A TCP/IP protocol used to send and receive e-mail communications.
IDENTITY AND ACCESS MANAGEMENT 2011/12
254
Service-oriented architecture (SOA)
An architecture that places process components delivered as consumable services at its heart. In its
modern incarnation, this architecture is chiefly based on web services, providing a services platform
layer that exposes business and operational services, and is typically a part of enterprise architecture.
SOAP
Formerly Simple Object Access Protocol, but now simply referred to as SOAP. A lightweight XML-based
protocol consisting of three parts: an envelope that contains a message and instructions for processing
it; rules for expressing instances of application-defined data types; and a convention for representing
remote procedure calls and responses. In summary, it is a protocol allowing the exchange of information
in a decentralized and distributed environment.
Social media
The use of social media technologies such as social networks, blogs and forums to support a strategy
of customer engagement and participation.
Sarbanes-Oxley Act (SOX)
Legislation to protect shareholders and the public from accounting errors and fraudulent practices in the
enterprise.
Service Provisioning Markup Language (SPML)
A standard to assist with the creation, maintenance and deletion of user data across heterogeneous
environments.
Secure Sockets Layer (SSL)
A common protocol for managing the security of a message over the Internet. Typically only one end of
the conversation is fully authenticated.
Single sign-on (SSO)
An authentication process that enables users to enter one name and password in order to access
multiple applications. Normally available to support Web and enterprise access environments.
Total cost of ownership (TCO)
TCO is a financial estimate of all the costs associated with acquiring, implementing, maintaining and
using a resource over a particular time. It is most useful as a way of comparing the costs of two or more
means of achieving the same end result.
Transmission Control Protocol/Internet Protocol (TCP/IP)
Governs the routing and transportation of data over the Internet.
The Open Group
Supports a number of initiatives relating to IAM.
Transport Layer Security (TLS)
This is a protocol that ensures privacy between communicating applications and their users on the
Internet.
Two-factor authentication
Two levels of identity that in conjunction authenticate a user and combine to provide strong
authentication.
Uniform Resource Locator (URL)
A URL is the address of a file (resource) accessible on the Internet.
Virtual local area network (VLAN)
VLANs can be viewed as a group of devices on different physical LAN segments that can communicate
with each other as if they were all on the same physical LAN segment.
Virtual private network (VPN)
A private data network that makes use of the public telecommunication infrastructure, while maintaining
privacy through the use of procedures.
Wide area network (WAN)
A geographically dispersed network.
CHAPTER 9: GLOSSARY
255
Web 2.0
A collective description for the latest set of user-driven Internet technologies and applications that
include blogs, wikis, RSS, mash-ups, and social networks, among others. It refers to second generation
web-based services that are characterized by increased user interaction, information sharing and
collaboration.
Web service
An architecture where software is delivered as a set of components that can be called from any
application without regard to the underlying platform or operating system.
Workflow Management Coalition (WFMC)
A group of worldwide workflow vendors, users and research bodies with the objective of defining and
sponsoring standards for workflow terminology and connectivity between different workflow products.
Workflow
A term used to describe the tasks, procedural steps, organizations or people involved, required input
and output information, and tools needed for each step in a business process.
Web Services Description Language (WSDL)
WSDL is an XML format for describing network services as a set of endpoints or ports operating on
messages containing either document-oriented or procedure-oriented information.
WS-Federation
Web Services Federated Trust describes how to build federated trust scenarios based on other
specifications, and define methods for managing trust relationships. In July 2003, Microsoft and IBM
published a white paper outlining their thoughts on the contents of the specification.
Web Services Flow Language (WSFL)
WSFL is an XML language for the description of web services compositions.
Web Services Interoperability (WSI)
An organization that encourages web services interoperability between platforms, operating
environments and programming languages by promoting SOAP.
WS-Policy
Web Services Endpoint Policy describes how senders and receivers can denote their requirements and
capabilities, including essential attributes for privacy, encoding, security tokens and associated
algorithms.
WS-Privacy
Portrays a model for how a privacy language can be embedded in WS-Policy descriptions, enabling
organizations to detail conformity to defined privacy policies.
WS-Security
Web Services Security, a range of specifications detailing security interoperability.
WS-Trust
Web Services Trust Model details the method for establishing direct and third party trust associations.
X.509
Digital certificate standard that forms the basis of the PKI approach.
Extensible Access Control Markup Language (XACML)
An XML schema for denoting a policy interchange format.
XML Common Biometric Format (XCBF)
Designed to integrate and improve interoperability between biometric standards through the use of web
services.
XML Key Management Specification (XKMS)
XML-based standards for the distribution and registration of public keys.
XLANG
Is an XML-based extension of WSDL.
IDENTITY AND ACCESS MANAGEMENT 2011/12
256
Extensible Markup Language (XML)
A markup language defined by the World Wide Web Consortium (W3C) as a recommendation in 1998.
Used as a meta language to describe data, it has widespread use in areas such as application
integration, content management, electronic data interchange, and wireless communications. XML is
extensible because, unlike HTML, the markup symbols are unlimited and self defining. Using an
extensible stylesheet language (XSL), XML can be transformed for display as HTML on a web page, or
to alternative formats for display on other types of client device. It provides a common format for
documents and data.
XML signature
Used to denote the signature information of Internet resources.
CHAPTER 9: GLOSSARY
257
Technology Evaluation and Comparison Report
WWW.OVUM.COM
CHAPTER 10:
Appendix
Butler Group
Incorporating
OVUM
Further reading
2011 Trends to watch: Security – Protecting the organization against increasing threats.
Corporate mobile device use and security – Corporations are slowly embracing new technology.
Information Security – Protecting the Business and its Information.
The malware threat to mobile banking.
Methodology

This report has been compiled from Ovum’s ongoing program of research into the use of Identity and
Access Management technology and the value that it provides for organizations and the users of
their business systems.

Ovum conducts independent research into IT strategy and issues. This report is comprised of the
findings of numerous interviews with enterprise CIOs, vendors, and other experts in the field. The
correlation of views and resolution of divergent views is based on Ovum's own in-house expertise.
Author(s)
Andy Kellett, Senior Analyst
andrew.kellett@ovum.com
Graham Titterington, Principle Analyst
graham.titterington@ovum.com
Nishant Singh, Lead Analyst
nishant.singh@ovum.com
Somak Roy, Lead Analyst
somak.roy@ovum.com
Ovum consulting
We hope that the analysis in this report will help you make informed and imaginative business
decisions. If you have further requirements, Ovum’s consulting team may be able to help you. For more
information about Ovum’s consulting capabilities, please contact us directly at consulting@ovum.com.
Disclaimer
All Rights Reserved.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior
permission of the publisher, Ovum (a subsidiary company of Datamonitor).
CHAPTER 10: APPENDIX
261
Butler Group
Incorporating
OVUM
The user and information protection challenges involved when managing
identity.
Why IAM projects are large-scale investments and require an overhaul of
business processes.
That vendor consolidation has been a major factor for change in the IAM
market.
How IAM technology can be used to support compliance in highly-regulated
industries.
Why audit adds urgency to the need for a better IAM infrastructure.
The impact on identity services of Cloud based operations.
That the need for an Internet identity is now fully recognized.
How organizations can benefit from using a federated approach to identity
management.
Which of the leading IAM vendors have improved their products and market
positioning and now have the right credentials to lead the IAM sector forward.
This Report reveals:
Technology Evaluation and Comparison Report
Driving business value through collaborative intelligence OI00030-001
WWW.OVUM.COM
Ovum Europe
119 Farringdon Road,
London, EC1R 3DA,
United Kingdom
t: +44 (0)20 7551 9850
e: info@ovum.com
Ovum Australia
Level 5, 459 Little Collins Street,
Melbourne 3000,
Australia
t: +61 (0)3 9601 6700
f: +61 (0)3 9670 8300
e: info@ovum.com
Ovum New York
245 Fifth Avenue, 4
th
Floor,
New York, NY 10016,
United States
t: +1 212 652 5302
f: +1 212 202 4684
e: info@ovum.com
Butler Group
Incorporating
OVUM