IDM vs MIIS. The past, present, futures and direct comparisons of Identity Management from both Provo and Richmond

1
IDM vs MIIS.The past, present, futures and
direct comparisons of Identity Management from
both Provo and Richmond Martin Bradburn
Associated Network Solutions Plc
2
Agenda

• Why Identity Management ?
• Novells IDM3 an overview
• Microsofts MIIS an overview
• Knock for knock
• The future
• QA - please

3
(No Transcript)
4
Why Identity Management ?
5
Priorities today
across all systems and platforms
6
Do you know these guys?
7
Auditing Compliance

• Compliance initiatives, such as Sarbanes-Oxley,
  FSA and Law
• Society occupy centre stage in IT and security
  projects.

Sarbanes-Oxley requires focus on making sure that
they are reporting accurate information and that
they know where it is coming from. The results
of the IT auditing teams are bubbling up to the
boardroom and they can be pretty ugly
8
User-provisioning implementations are growing in
number and complexity, largely because of
regulatory pressures. Gartner estimates that
there are approximately 1,200 production
deployments that are significant These
implementations are enterprise wide, and they use
multiple connectors, workflow and approval
processing. Implementations of smaller workforce
count are new, most within the past 12 months, as
they too feel regulatory compliance pressures.
9
Complexity
10
Actual View of Novell before Zero Day Start
11

• So, why are we all in this mess ?
• Organisations expand recruitment acquisitions
• Employees need access to many applications
  resources
• Managing resource access tends to be carried out
  on a system-by-system approach.
• On average this means that each user has 812
  identities.
• A field of disparate and complex systems

12
Novells IDM3 an overview
13
Novell IDM3 Major Components
14
Novell Identity Manager 3

• Novell Identity Manager 3 delivers
• Automated User Provisioning
• Self-service Password Management
• Secure Logging, Auditing and Reporting
• Across platforms Linux, Windows, Solaris, HP-UX,
  AIX NetWare

15
IDM3 Architecture
User Interface
Designer for Identity Manager Configuration

iManager Administration

• User Application
• User search, list and org chart portlets
• Password self-service portlets
• Lightweight user admin portlet
• Portal personalization
• General portlets

Directory Abstraction Layer
Metadirectory Engine
eDirectory (8.7.3 or 8.8)
Entitlements Objects
Workflow
User Application Driver
JBoss App Server (on Linux, Windows)
MySQL DB (included), Oracle DB, MS SQL Server
Connected Systems
16
IDM3 - Top 5 Innovations

1. Integrated Approval Workflow
2. Enhanced Identity Applications
3. Attractive, flexible User Application
4. Designer for Identity Manager
5. Enhanced Scalability and Data Security

17
Integrated Approval Workflow

• User application showing approval task in-box.
• Full-featured workflow capabilities, including
• Role, group or individual assignments
• Delegation and proxy functions
• Expiration tracking with escalation policies
• Self-service provisioning
• No coding required (Java, script, XML, etc.)

18
User checking status of a prior workflow request

• User application showing approval task in-box.
• Full-featured workflow capabilities, including
• Role, group or individual assignments
• Delegation and proxy functions
• Expiration tracking with escalation policies
• Self-service provisioning
• No coding required (Java, script, XML, etc.)

19
End User View

• Advanced identity applications unlock greater
  value from the identity data.
• Powerful organisational charting
  white/yellow pages
• Self-service password management
• Delegated administration for team leaders

20
Views of User Workflow requests
21
Views of User Search and List

• Advanced identity applications unlock greater
  value from the identity data.
• Powerful organisational charting
  white/yellow pages
• Self-service password management
• Delegated administration for team leaders

22
Views of User Search and List

• Advanced identity applications unlock greater
  value from the identity data.
• Powerful organisational charting
  white/yellow pages
• Self-service password management
• Delegated administration for team leaders

23
Administrator View

• Full-featured Administration Console.
• Monitoring, reporting auditing features
• Integrated into the common Administration fabric
• Separate from tools for Architecture/ Deployment

24
Designer for Identity Manager Architect View

• A powerful visual toolkit for designing the
  identity environment.
• Graphically configure complex systems
• Model What If scenarios
• Automatically generate documentation
• Leverage re-usable configurations to reduce
  deployment time

25
Connectible Application Space
26
Identity Manager Connected Systems
27
Microsofts MIIS an overview
28
Microsoft MIIS Major Components

• Synchronisation Engine
• Synchronising into ever increasing number of
  systems no longer just MS ones
• Automated provisioning
• Centralised Identity Store
• Password Management (SP1)
• Integrated into Windows front end

29
MIIS Identity ScenariosIntegration as
foundation for IM services
HR System
Contractor System
Enterprise Directory
Lotus Notes Apps
Infra Application
Identity Integration
COTS Application

• Authentication

In-House Application

• Authorization

• Identity Data

In-House Application
Rock solid software to integrate identity
30
MIIS Architecture
Key MA Management Agent CS Connector Space
MS SQL2000 based datastore
31
MIIS Designer
32
Connectivity in MIIS 2003, Enterprise Edition SP1

• Active Directory
• Active Directory Application Mode
• Exchange 2000 and 2003 Global Address List
  synchronisation
• Sun One Directory (formerly iPlanet) 4.x and 5.0
• SQL Server 7.0 and 2000
• Oracle 8i and 9i
• DSML 2.0
• LDAP Directory Interchange Format (LDIF)
• Delimited Text
• Fixed-Width Text
• Attribute-Value Pair Text
• Windows NT 4.0
• Exchange 5.5
• Lotus Notes 5.0
• Novell eDirectory 8.62 and 8.7
• RACF Shipped Summer 05
• SAP (Beta)
• Other mainframe and ERP systems to follow

33
Knock for Knock
34
Gartners meta directory Magic Quadrant
We continue to view IDM as market leading
technology
Gartner
35
Gartners User Provisioning Magic Quadrant
36
Challenger Definition Challengers have solid
products that address the typical needs of the
User-provisioning market, with strong sales,
visibility and clout that add up to higher
execution than niche players. Many clients
consider challengers to be the conservative safe
alternative to niche players. Challengers in
this Magic Quadrant have strong product
capabilities, but they have fewer production
deployments than the leaders. Their business
model, overall product strength, marketing
strategy and business partnerships vary and,
hence, has kept them from breaking into the
Leaders quadrant. Novell have been in the
User-provisioning market for some time and have
been making steady progress.
37
Niche Definition Niche players offer viable,
dependable solutions that meet the typical needs
of buyers. Niche players are less likely to
appear on shortlists but fare well when given a
chance. While they generally lack the clout to
change the course of the market, they should not
be regarded as merely following the
leaders. Niche players may address subsets of
the overall market, and often they can do so more
efficiently than the leaders. Clients tend to
pick niche players when stability and focus on a
few important functions and features are more
important than a wide and long road
map. Microsoft has a basic User-provisioning
product in MIIS and relies on partners to round
out its offering.
38
Market Disruption Two fundamentally different
ways to solving the security administration
problem are the User-provisioning (middleware)
approach and the enterprise access management
approach. All vendors, except Microsoft, are
taking the middleware approach, which addresses
the management of the complex authentication
environment that has evolved during the past 20
years.
39
As long as enterprises are willing to make Active
Directory their central authentication service
and rely on the access control infrastructure of
the Windows server, fewer user IDs will be
needed, and those that remain can be managed as
an Active Directory account. Microsoft partners,
such as Centrify and Quest Software, are building
tools to provide the translation of Unix, Linux,
Mac OS, VMware, WebSphere, WebLogic, JBoss and
Apache accounts so that they can be managed as
Active Directory accounts.
Microsoft Identity Integration Server (MIIS) is
required to provision user accounts and
synchronise user profile information between
target systems (until such time that only one
Active Directory user account is needed).
40

• This means that Microsoft would
• Own the strategic user repository (Active
  Directory) in most accounts
• Drive the primary authentication for both network
  operating system (NOS) and Web connections
• Drive the application-level authorisation schemes
• Clearly, this is a lot to accomplish but no other
  vendor is in a position to pull this off. The
  enterprise access management approach is not for
  everyone, especially if enterprises have a need
  right now for managing and reporting on the
  messy, complex user accounts environment that
  currently exist. This approach is also not for
  those enterprises that want to maintain an open
  authentication and authorisation infrastructure.

41
Novell IDM Novell was one of the vendors that
took its meta directory product and evolved it
into a Javabased User-provisioning product.
Because earlier versions of its
User-provisioning product were based on the meta
directory product, it has strong data
synchronisation and Resource Access Management
capabilities, but it lacked certain core
User-provisioning functions, such as self-service
password reset and workflow, and it required a
fair amount of consulting work for
implementation. Novell has continually enhanced
its User-provisioning offering (for example,
graphical interface for connector management and
Service Provisioning Markup Language support),
and with the introduction of Identity Manager 3,
it has a product that provides very good
User-provisioning capabilities, albeit with a few
oddities (such as, template workflow by the
number of approval steps rather than
User-provisioning function, for example, add a
new user).
42
Novell has done a good job in focusing on the
federal and state government sectors and overall
customer satisfaction is high. To be the success
it wants to be, Novell must be more strategic by
adding capabilities around Role Management,
ensure it has a Tier 1 Service Industry and
provide a solution for the SMB market. Novell
has done a good job selling its
User-provisioning solutions to its target
customers however, Novells target audience is
too narrow. Gartner wants Novell to expand its
marketing and sales efforts to a broader range of
customers.
43
Microsoft MIIS Microsofts User-provisioning
offering, developed on the .NET platform, was
originally built as a metadirectory product that
now supports much of the heterogeneous IT
infrastructure (connectors for SAP, PeopleSoft
are in progress). It is a set of modules that
must be integrated to make up a basic
User-provisioning product. For example, workflow
capability comes through BizTalk, with Visual
Studio required for complex workflow and rule
support, and Unix support comes through Services
for Unix. There is no support for Service
Provisioning Markup Language, role management nor
out-of-the box reporting of any kind, although
customers can use their existing reporting
products to get access to the data in the MS-SQL
database.
44
Gartners assessment of MIIS as a
User-provisioning offering is that it is very
much a consulting engagement. However, customers
report that the software license fees and
integration costs are so much lower than other
User-provisioning product deployments, that it is
worth the effort. Microsoft has not productised
capability (for example, workflow templates,
developed by Microsoft Consulting Services from
its deployments).
45
Microsofts next planned release in the second
half of 2007 will be comparable with todays
User-provisioning product offerings, with
workflow provided at the Windows server level.
But because the two different strategies to
solving the security administration problem
middleware vs. enterprise access management are
not well articulated nor understood in the
market, comparing MIIS with a middleware
User-provisioning product will result in MIIS not
measuring up 100 percent.
46
Lower costs and the growth in Active Directory as
the central enterprise authentication service
will likely propel Microsoft into the Leaders
quadrant within the next 24 months.
47
Infoworld Review 05
!
http//www.infoworld.com/article/05/10/07/41FEidm_
1.html?sfeature
48
Native System Connectivity
operating systems Microsoft Windows NT 4.0
Microsoft Windows 2000, 2003 SUSE LINUX Debian
Linux FreeBSD Red Hat AS and ES Red Hat Linux
HP-UX IBM AIX Solaris UNIX Files -
/etc/passwd other Delimited Text Remedy (for
Help Desk) SOAP DSML SPML Schools
Interoperability Framework (SIF) pbx Avaya PBX
enterprise applications Baan J.D.Edwards
Lawson Oracle Peoplesoft SAP HR (MIIS via
delimited text) SAP R/3 4.6 and SAP Enterprise
Systems (BASIS) SAP Web Application Server (Web
AS) 6.20 Siebel enterprise message bus BEA IBM
Websphere MQ Open JMS Oracle JBOSS Sun TIBCO main
frame RACF ACF2 Top Secret midrange OS/400
(AS/400)
database IBM DB2 Informix Microsoft SQL Server
MySQL Oracle Sybase JDBC directories Critic
al Path InJoin Directory IBM Directory Server
(SecureWay) iPlanet Directory Server Microsoft
Active Directory Microsoft Windows NT
Domains Netscape Directory Server NIS NIS
Novell NDS Novell eDirectory Oracle Internet
Directory Sun ONE Directory Server LDAP email
systems Microsoft Exchange 2000, 2003 Microsoft
Exchange 5.5 Novell GroupWise Lotus Notes
IDM3 Black MIIS Red
49
Supported Platforms

• MIIS
• Windows Server 2003 Enterprise edition
• (NB. Also requires SQL server 2000)

• IDM3
• NetWare 6.5 SP3 or later
• Novell Open Enterprise ServerNetWare or Linux
• Windows 2000 or 2003
• SUSE Linux Enterprise Server 9 or 10
• Red Hat Linux AS 3.0
• Solaris 8, 9 or 10
• AIX 5.2L

50
Getting it all configured

• IDM3
• Most powerful Designer GUI
• Natively integrates with eDirectory
• Self documenting
• Still needs XML coding for certain things
• Real time synchronisation
• No native failover
• In built auditing
• Partner support excellent

• MIIS
• Designer GUI
• Does not natively integrate with AD (uses
  SQL2000)
• Requires Visual Studio and coding for most things
• Not real time synchronisation
• SQL2000 able to be replicated
• No identity auditing capability
• Partner support excellent

51
Whats it going to cost ?

• MIIS
• MIIS 2003 SP1, Enterprise Edition per CPU
  (including all MS connectors)
• 13,400
• Windows Server 2003 R2 Enterprise Edition
• 2,222
• Windows Server 2003, Client Access License
  20-pack
• 444
• SQL Server 2005 Standard Edition
• 3,333
• Total investment 19,399

• IDM3
• IDM3 (including Microsoft Active Directory,
  Microsoft Windows NT, Novell GroupWise,
  Microsoft Exchange, Lotus Notes, Novell
  eDirectory and other LDAP v3 directories) Audit
  User application with user self service and
  password management
• 13.88 per user
• Optional Provisioning Module for Novell Identity
  Manager 3 (Approval workflow system and
  Self-service Resource Request)
• 5.55 per user
• Optional integration modules
• From 3.33 per user
• For comparison 1400 users _at_ 13.88 is 19,432

All prices exclude VAT, maintenance and
discounts / Exchange rate rate of 1.8
52
Whats in it for the users ?

• IDM3
• Password self-service
• User Administration
• White pages and organisational charts
• Workflow
• Resource request

• MIIS
• Password self-service (reset now pulled from SP2)

53
Whats in it for your boss ?

• IDM3
• Audit and compliance
• Good ROI
• Open source integration
• Past, present and future system integrations

• MIIS
• Good ROI (sometimes excellent)
• Microsoft integration
• Nobodys yet been fired for buying MS !

54
Anything else whilst were at it ?
55
The Future
56
Near-term IDM3 Roadmap

• Identity Manager 3.5
• Scheduled/Random Password Generation
• Scheduled Event Processing
• Multi-language Support (Password
  Challenge/Response, Email Templates)
• AD-style Password Policy
• Visual Password Synchronisation for users
• Anonymous User Self-Registration
• Matrix Organisation Display and workflow approval
• UI Enhancements including Portlets for viewing
  User/Resource Associations
• Digital Signing of Approvals
• Matrix organisation and Quorum Approvals for
  workflows
• Shareable Policy Libraries
• Resource Kit (incl. normalised driver configs)
• IDM Monitoring Tools

57
IDM3 Roadmap

• Next Major Version of Identity Manager
• Enhancements in user features (for example...)
• Additional regulatory compliance management
  features
• Additional provisioning workflow capabilities
• Improved password management features
• Support for matrix and non-traditional
  organizational structures
• Enhancements in infrastructure (for example...)
• Greater interoperability integration with
  existing infrastructure
• Finer control over event/activity processing
• Enhancements in deployment process (for
  example...)
• Greater automation in deployment
• Improved deployment scenario flexibility

58
MIIS Roadmap
59
MIIS Gemini

• Add core functionality required for Process
  Integration Services
• End-user self-service password reset
• Rich workflow
• Centralised auditing
• Self-service application platform with integrated
  workflow and auditing
• Computed attributes
• Entitlement management based on organisational
  roles
• Expose new functionalities to IT Pros and end
  users
• Identity manager console for declarative
  entitlement management
• Self-service applications
• Expose self-service application interfaces for
  ISVs and corporate developers

60
Summary

• IDM3 is now a mature product with little major
  missing, MIIS Gemini is close behind though
• Novells (lack of) marketing will allow MS to
  catch up again !
• With Gemini, MIIS will offer a more complete
  password management story
• Powerful workflow integration and UI entry points
  for self-service applications could make Gemini
  as good as IDM3
• MS are already planning Apollo but the chances
  of this being platform agnostic are very slim

61
Questions and Answers ?