Title: IDM vs MIIS. The past, present, futures and direct comparisons of Identity Management from both Provo and Richmond
1IDM vs MIIS.The past, present, futures and
direct comparisons of Identity Management from
both Provo and Richmond Martin Bradburn
Associated Network Solutions Plc
2Agenda
- Why Identity Management ?
- Novells IDM3 an overview
- Microsofts MIIS an overview
- Knock for knock
- The future
- QA - please
3(No Transcript)
4Why Identity Management ?
5Priorities today
across all systems and platforms
6Do you know these guys?
7Auditing Compliance
- Compliance initiatives, such as Sarbanes-Oxley,
FSA and Law - Society occupy centre stage in IT and security
projects.
Sarbanes-Oxley requires focus on making sure that
they are reporting accurate information and that
they know where it is coming from. The results
of the IT auditing teams are bubbling up to the
boardroom and they can be pretty ugly
8User-provisioning implementations are growing in
number and complexity, largely because of
regulatory pressures. Gartner estimates that
there are approximately 1,200 production
deployments that are significant These
implementations are enterprise wide, and they use
multiple connectors, workflow and approval
processing. Implementations of smaller workforce
count are new, most within the past 12 months, as
they too feel regulatory compliance pressures.
9Complexity
10Actual View of Novell before Zero Day Start
11- So, why are we all in this mess ?
- Organisations expand recruitment acquisitions
- Employees need access to many applications
resources - Managing resource access tends to be carried out
on a system-by-system approach. - On average this means that each user has 812
identities. - A field of disparate and complex systems
12Novells IDM3 an overview
13Novell IDM3 Major Components
14Novell Identity Manager 3
- Novell Identity Manager 3 delivers
- Automated User Provisioning
- Self-service Password Management
- Secure Logging, Auditing and Reporting
- Across platforms Linux, Windows, Solaris, HP-UX,
AIX NetWare
15IDM3 Architecture
User Interface
Designer for Identity Manager Configuration
iManager Administration
- User Application
- User search, list and org chart portlets
- Password self-service portlets
- Lightweight user admin portlet
- Portal personalization
- General portlets
Directory Abstraction Layer
Metadirectory Engine
eDirectory (8.7.3 or 8.8)
Entitlements Objects
Workflow
User Application Driver
JBoss App Server (on Linux, Windows)
MySQL DB (included), Oracle DB, MS SQL Server
Connected Systems
16IDM3 - Top 5 Innovations
- Integrated Approval Workflow
- Enhanced Identity Applications
- Attractive, flexible User Application
- Designer for Identity Manager
- Enhanced Scalability and Data Security
17Integrated Approval Workflow
- User application showing approval task in-box.
- Full-featured workflow capabilities, including
- Role, group or individual assignments
- Delegation and proxy functions
- Expiration tracking with escalation policies
- Self-service provisioning
- No coding required (Java, script, XML, etc.)
18User checking status of a prior workflow request
- User application showing approval task in-box.
- Full-featured workflow capabilities, including
- Role, group or individual assignments
- Delegation and proxy functions
- Expiration tracking with escalation policies
- Self-service provisioning
- No coding required (Java, script, XML, etc.)
19End User View
- Advanced identity applications unlock greater
value from the identity data. - Powerful organisational charting
white/yellow pages - Self-service password management
- Delegated administration for team leaders
20Views of User Workflow requests
21Views of User Search and List
- Advanced identity applications unlock greater
value from the identity data. - Powerful organisational charting
white/yellow pages - Self-service password management
- Delegated administration for team leaders
22Views of User Search and List
- Advanced identity applications unlock greater
value from the identity data. - Powerful organisational charting
white/yellow pages - Self-service password management
- Delegated administration for team leaders
23Administrator View
- Full-featured Administration Console.
- Monitoring, reporting auditing features
- Integrated into the common Administration fabric
- Separate from tools for Architecture/ Deployment
24Designer for Identity Manager Architect View
- A powerful visual toolkit for designing the
identity environment. - Graphically configure complex systems
- Model What If scenarios
- Automatically generate documentation
- Leverage re-usable configurations to reduce
deployment time
25Connectible Application Space
26Identity Manager Connected Systems
27Microsofts MIIS an overview
28Microsoft MIIS Major Components
- Synchronisation Engine
- Synchronising into ever increasing number of
systems no longer just MS ones - Automated provisioning
- Centralised Identity Store
- Password Management (SP1)
- Integrated into Windows front end
29MIIS Identity ScenariosIntegration as
foundation for IM services
HR System
Contractor System
Enterprise Directory
Lotus Notes Apps
Infra Application
Identity Integration
COTS Application
In-House Application
In-House Application
Rock solid software to integrate identity
30MIIS Architecture
Key MA Management Agent CS Connector Space
MS SQL2000 based datastore
31MIIS Designer
32Connectivity in MIIS 2003, Enterprise Edition SP1
- Active Directory
- Active Directory Application Mode
- Exchange 2000 and 2003 Global Address List
synchronisation - Sun One Directory (formerly iPlanet) 4.x and 5.0
- SQL Server 7.0 and 2000
- Oracle 8i and 9i
- DSML 2.0
- LDAP Directory Interchange Format (LDIF)
- Delimited Text
- Fixed-Width Text
- Attribute-Value Pair Text
- Windows NT 4.0
- Exchange 5.5
- Lotus Notes 5.0
- Novell eDirectory 8.62 and 8.7
- RACF Shipped Summer 05
- SAP (Beta)
- Other mainframe and ERP systems to follow
33Knock for Knock
34Gartners meta directory Magic Quadrant
We continue to view IDM as market leading
technology
Gartner
35Gartners User Provisioning Magic Quadrant
36Challenger Definition Challengers have solid
products that address the typical needs of the
User-provisioning market, with strong sales,
visibility and clout that add up to higher
execution than niche players. Many clients
consider challengers to be the conservative safe
alternative to niche players. Challengers in
this Magic Quadrant have strong product
capabilities, but they have fewer production
deployments than the leaders. Their business
model, overall product strength, marketing
strategy and business partnerships vary and,
hence, has kept them from breaking into the
Leaders quadrant. Novell have been in the
User-provisioning market for some time and have
been making steady progress.
37Niche Definition Niche players offer viable,
dependable solutions that meet the typical needs
of buyers. Niche players are less likely to
appear on shortlists but fare well when given a
chance. While they generally lack the clout to
change the course of the market, they should not
be regarded as merely following the
leaders. Niche players may address subsets of
the overall market, and often they can do so more
efficiently than the leaders. Clients tend to
pick niche players when stability and focus on a
few important functions and features are more
important than a wide and long road
map. Microsoft has a basic User-provisioning
product in MIIS and relies on partners to round
out its offering.
38Market Disruption Two fundamentally different
ways to solving the security administration
problem are the User-provisioning (middleware)
approach and the enterprise access management
approach. All vendors, except Microsoft, are
taking the middleware approach, which addresses
the management of the complex authentication
environment that has evolved during the past 20
years.
39As long as enterprises are willing to make Active
Directory their central authentication service
and rely on the access control infrastructure of
the Windows server, fewer user IDs will be
needed, and those that remain can be managed as
an Active Directory account. Microsoft partners,
such as Centrify and Quest Software, are building
tools to provide the translation of Unix, Linux,
Mac OS, VMware, WebSphere, WebLogic, JBoss and
Apache accounts so that they can be managed as
Active Directory accounts.
Microsoft Identity Integration Server (MIIS) is
required to provision user accounts and
synchronise user profile information between
target systems (until such time that only one
Active Directory user account is needed).
40- This means that Microsoft would
- Own the strategic user repository (Active
Directory) in most accounts - Drive the primary authentication for both network
operating system (NOS) and Web connections - Drive the application-level authorisation schemes
- Clearly, this is a lot to accomplish but no other
vendor is in a position to pull this off. The
enterprise access management approach is not for
everyone, especially if enterprises have a need
right now for managing and reporting on the
messy, complex user accounts environment that
currently exist. This approach is also not for
those enterprises that want to maintain an open
authentication and authorisation infrastructure.
41Novell IDM Novell was one of the vendors that
took its meta directory product and evolved it
into a Javabased User-provisioning product.
Because earlier versions of its
User-provisioning product were based on the meta
directory product, it has strong data
synchronisation and Resource Access Management
capabilities, but it lacked certain core
User-provisioning functions, such as self-service
password reset and workflow, and it required a
fair amount of consulting work for
implementation. Novell has continually enhanced
its User-provisioning offering (for example,
graphical interface for connector management and
Service Provisioning Markup Language support),
and with the introduction of Identity Manager 3,
it has a product that provides very good
User-provisioning capabilities, albeit with a few
oddities (such as, template workflow by the
number of approval steps rather than
User-provisioning function, for example, add a
new user).
42Novell has done a good job in focusing on the
federal and state government sectors and overall
customer satisfaction is high. To be the success
it wants to be, Novell must be more strategic by
adding capabilities around Role Management,
ensure it has a Tier 1 Service Industry and
provide a solution for the SMB market. Novell
has done a good job selling its
User-provisioning solutions to its target
customers however, Novells target audience is
too narrow. Gartner wants Novell to expand its
marketing and sales efforts to a broader range of
customers.
43Microsoft MIIS Microsofts User-provisioning
offering, developed on the .NET platform, was
originally built as a metadirectory product that
now supports much of the heterogeneous IT
infrastructure (connectors for SAP, PeopleSoft
are in progress). It is a set of modules that
must be integrated to make up a basic
User-provisioning product. For example, workflow
capability comes through BizTalk, with Visual
Studio required for complex workflow and rule
support, and Unix support comes through Services
for Unix. There is no support for Service
Provisioning Markup Language, role management nor
out-of-the box reporting of any kind, although
customers can use their existing reporting
products to get access to the data in the MS-SQL
database.
44Gartners assessment of MIIS as a
User-provisioning offering is that it is very
much a consulting engagement. However, customers
report that the software license fees and
integration costs are so much lower than other
User-provisioning product deployments, that it is
worth the effort. Microsoft has not productised
capability (for example, workflow templates,
developed by Microsoft Consulting Services from
its deployments).
45Microsofts next planned release in the second
half of 2007 will be comparable with todays
User-provisioning product offerings, with
workflow provided at the Windows server level.
But because the two different strategies to
solving the security administration problem
middleware vs. enterprise access management are
not well articulated nor understood in the
market, comparing MIIS with a middleware
User-provisioning product will result in MIIS not
measuring up 100 percent.
46Lower costs and the growth in Active Directory as
the central enterprise authentication service
will likely propel Microsoft into the Leaders
quadrant within the next 24 months.
47Infoworld Review 05
!
http//www.infoworld.com/article/05/10/07/41FEidm_
1.html?sfeature
48Native System Connectivity
operating systems Microsoft Windows NT 4.0
Microsoft Windows 2000, 2003 SUSE LINUX Debian
Linux FreeBSD Red Hat AS and ES Red Hat Linux
HP-UX IBM AIX Solaris UNIX Files -
/etc/passwd other Delimited Text Remedy (for
Help Desk) SOAP DSML SPML Schools
Interoperability Framework (SIF) pbx Avaya PBX
enterprise applications Baan J.D.Edwards
Lawson Oracle Peoplesoft SAP HR (MIIS via
delimited text) SAP R/3 4.6 and SAP Enterprise
Systems (BASIS) SAP Web Application Server (Web
AS) 6.20 Siebel enterprise message bus BEA IBM
Websphere MQ Open JMS Oracle JBOSS Sun TIBCO main
frame RACF ACF2 Top Secret midrange OS/400
(AS/400)
database IBM DB2 Informix Microsoft SQL Server
MySQL Oracle Sybase JDBC directories Critic
al Path InJoin Directory IBM Directory Server
(SecureWay) iPlanet Directory Server Microsoft
Active Directory Microsoft Windows NT
Domains Netscape Directory Server NIS NIS
Novell NDS Novell eDirectory Oracle Internet
Directory Sun ONE Directory Server LDAP email
systems Microsoft Exchange 2000, 2003 Microsoft
Exchange 5.5 Novell GroupWise Lotus Notes
IDM3 Black MIIS Red
49Supported Platforms
- MIIS
- Windows Server 2003 Enterprise edition
- (NB. Also requires SQL server 2000)
- IDM3
- NetWare 6.5 SP3 or later
- Novell Open Enterprise ServerNetWare or Linux
- Windows 2000 or 2003
- SUSE Linux Enterprise Server 9 or 10
- Red Hat Linux AS 3.0
- Solaris 8, 9 or 10
- AIX 5.2L
50Getting it all configured
- IDM3
- Most powerful Designer GUI
- Natively integrates with eDirectory
- Self documenting
- Still needs XML coding for certain things
- Real time synchronisation
- No native failover
- In built auditing
- Partner support excellent
- MIIS
- Designer GUI
- Does not natively integrate with AD (uses
SQL2000) - Requires Visual Studio and coding for most things
- Not real time synchronisation
- SQL2000 able to be replicated
- No identity auditing capability
- Partner support excellent
51Whats it going to cost ?
- MIIS
- MIIS 2003 SP1, Enterprise Edition per CPU
(including all MS connectors) - 13,400
- Windows Server 2003 R2 Enterprise Edition
- 2,222
- Windows Server 2003, Client Access License
20-pack - 444
- SQL Server 2005 Standard Edition
- 3,333
- Total investment 19,399
- IDM3
- IDM3 (including Microsoft Active Directory,
Microsoft Windows NT, Novell GroupWise,
Microsoft Exchange, Lotus Notes, Novell
eDirectory and other LDAP v3 directories) Audit
User application with user self service and
password management - 13.88 per user
- Optional Provisioning Module for Novell Identity
Manager 3 (Approval workflow system and
Self-service Resource Request) - 5.55 per user
- Optional integration modules
- From 3.33 per user
- For comparison 1400 users _at_ 13.88 is 19,432
All prices exclude VAT, maintenance and
discounts / Exchange rate rate of 1.8
52Whats in it for the users ?
- IDM3
- Password self-service
- User Administration
- White pages and organisational charts
- Workflow
- Resource request
- MIIS
- Password self-service (reset now pulled from SP2)
53Whats in it for your boss ?
- IDM3
- Audit and compliance
- Good ROI
- Open source integration
- Past, present and future system integrations
- MIIS
- Good ROI (sometimes excellent)
- Microsoft integration
- Nobodys yet been fired for buying MS !
54Anything else whilst were at it ?
55The Future
56Near-term IDM3 Roadmap
- Identity Manager 3.5
- Scheduled/Random Password Generation
- Scheduled Event Processing
- Multi-language Support (Password
Challenge/Response, Email Templates) - AD-style Password Policy
- Visual Password Synchronisation for users
- Anonymous User Self-Registration
- Matrix Organisation Display and workflow approval
- UI Enhancements including Portlets for viewing
User/Resource Associations - Digital Signing of Approvals
- Matrix organisation and Quorum Approvals for
workflows - Shareable Policy Libraries
- Resource Kit (incl. normalised driver configs)
- IDM Monitoring Tools
57IDM3 Roadmap
- Next Major Version of Identity Manager
- Enhancements in user features (for example...)
- Additional regulatory compliance management
features - Additional provisioning workflow capabilities
- Improved password management features
- Support for matrix and non-traditional
organizational structures - Enhancements in infrastructure (for example...)
- Greater interoperability integration with
existing infrastructure - Finer control over event/activity processing
- Enhancements in deployment process (for
example...) - Greater automation in deployment
- Improved deployment scenario flexibility
58MIIS Roadmap
59MIIS Gemini
- Add core functionality required for Process
Integration Services - End-user self-service password reset
- Rich workflow
- Centralised auditing
- Self-service application platform with integrated
workflow and auditing - Computed attributes
- Entitlement management based on organisational
roles - Expose new functionalities to IT Pros and end
users - Identity manager console for declarative
entitlement management - Self-service applications
- Expose self-service application interfaces for
ISVs and corporate developers
60Summary
- IDM3 is now a mature product with little major
missing, MIIS Gemini is close behind though - Novells (lack of) marketing will allow MS to
catch up again ! - With Gemini, MIIS will offer a more complete
password management story - Powerful workflow integration and UI entry points
for self-service applications could make Gemini
as good as IDM3 - MS are already planning Apollo but the chances
of this being platform agnostic are very slim
61Questions and Answers ?