Access management: Identity management

Over the years, my regular readers know that I am interested in the convergence of products, technologies and companies. Well, another one of these is on the way. Many of the identity management products we looked at this month are beginning to look like something more. The emphasis is, increasingly, on the total account management lifecycle. And, as one would expect, there are a couple of interesting twists.

For example, there was a time - still is in some organizations - where there was Windows and there was Unix/Linux and never the twain shall meet. Today, even die-hard *nix-ers are acknowledging that for some parts of the enterprise Windows is likely to rule the roost. That means that these large-scale servers - often housing large databases - must, for efficiency's sake, authenticate through some unified mechanism. In the MS Windows world, that is likely to be Active Directory. If you want to play in the Microsoft sandbox, you have to play by Microsoft's rules. Many of the products we looked at that recognize *nix are doing exactly that.

The identity management products that we looked at this month also exhibited increased maturity over previous years. That tells us that the evolution of these products is continuing. Indeed, it has not slowed perceptibly. That is good news for our industry, but it can make selecting a product a bit more challenging.
As my readers know, I almost always caution that you should understand your environment and needs thoroughly before you go product shopping. Back in my consulting days, it was not uncommon for a client to call me and ask what product to buy without really analyzing what the product needed to do in their environment. That framed my approach to product selection.

That approach is even more important with this year's batch because there are some products experiencing more functionality convergence and some demonstrating less. You really must be sure of what you need, and you really must think hard about what it means to move from a single-purpose product to a more multipurpose one that supplants the single-purpose offering you are using currently. The impact of such a change can be significant without proper advance planning and understanding the problems that you need to solve.

Overall, we found that this year's crop added a form of single sign-on and account provisioning to the traditional identity management functions. Both of these have been with us for a while, but a few of our products are beginning to address the entire account management lifecycle.

Single sign-on does not always mean single sign-on. In at least one case this month it was quite traditional. You use a single password (or token) to log into any of the resources to which you have access. However, there are subtleties as well. For example, one product allows you to proxy a login for sensitive accounts so that if you remove a privileged user you do not have to change the account login because it never really is known except by the account manager.

Managing accounts, users and identity data along with provisioning can be very challenging in a large enterprise. For example, how are you going to provision users across a global network with dozens of locations and thousands of workers? Add the complexity of needing some of those users - but not all - to use tokens for authentication. Is self-provisioning the answer?

To what granularity do you need universal account management? Is network login enough or do you need to get to the application level? All of these questions and more enter into your choice of products. To these identity management specifics we must add the more generic issues of support - both within the organization and the quality of support offered by the vendor.

Internal support - often the help desk - can be critical to keeping resources accessible to the users. However, resource access usually is a 24/7 thing, so does your selected vendor offer that level of support to back up your internal resources if necessary? Finally, is support universally and evenly available for all of your locations - worldwide if necessary?

Overall, we found that the products we looked at this year were a sort of crème of the crop from previous years. We saw products that were First Looks two years ago enter the mainstream, usually because the mainstream caught up with them.

This is a fascinating product group and in times of increased regulatory requirements, fighting reduced resources and increasing network complexity with a growing threat environment, products such as these will become the rule rather than the exception that they might have seemed in the past.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.