The Automation of IT

Manufacturing has its robots. Finance has its credit reports. When it comes to automation, IT has Identity Management (IdM) suites. With their combination of enterprise provisioning and automated password management, IdM suites enable the biggest organizations to shave man-hours off IT operations, improve security, and ease compliance woes.

The vendors touting these suites constitute the biggest names in security, management systems, and applications--we're talking BMC Software, CA, HP, IBM, Novell, Oracle, and Sun Microsystems. Having spent millions gobbling up IdM companies, they're now looking to recoup their investments by targeting their suites at midtier enterprises (see "Select Vendors From the IdM Market").

For IT architects, those suites sound like an ideal solution to the privacy and administrative concerns that plague today's organizations. They're easily deployable and inexpensive, according to the vendors, making them the perfect fit for cash-strapped, resource-starved IT departments.

Dig deeper, though, and you'll find these suites are only that in name. There's little integration among the suite components (see "State of Suite Integration"), and interoperability with major applications isn't guaranteed, particularly after patches and upgrades. In short, deployment can take the same amount of time as if the suite components were purchased separately.

All of this means IT should expect to spend three to seven times the product cost in professional services costs, says Bob Bentley, product line manager for identity management at Novell.

At the same time, many of the top suite vendors are angling to control more of the enterprise's core infrastructure. Given the little technology value in their suites, these vendors are proving very aggressive in their RFI bids, going so far as to cut costs and introduce tweaked products to make their suites more appealing to midsize enterprises.However, the most compelling argument for IdM suites may lie in their strategic vision. Ultimately, IdM will become part of the very fabric of IT. To those ends, IdM suppliers must be able to describe how their products and technologies will extend identity throughout the enterprise in a coherent and manageable way.

SECRET IDENTITY

Ever since IBM introduced the first IdM suite in 2003, IdM vendors have dreamt of an integrated privacy and security infrastructure. The motivation is obvious: They can extract more revenue per customer by selling combinations of interlocking products.

Heaven knows enterprises certainly need the software. Identity theft makes for a wonderful motivator when it comes to getting IT to cough up a few more dollars. What major organization can't find funds for security these days? Identity theft aside, companies could face stiff penalties for not conforming to Section 404 of Sarbanes-Oxley and other regulations.

Yet ensuring compliance with those regulations isn't easy. Without IdM software, there's no realistic way for a compliance auditor to determine an employee's access rights across the enterprise's applications, OSs, and servers. New employees will complain when they can't access SAP, but terminated employees never inform IT that their accounts need to be discontinued. Those movie clips of ex-detectives accessing police databases through old passwords aren't without reason. IT architects know they need a coherent way to manage user accounts that won't break the backs of their staff.Then there's the potential to reduce IT costs. Password resets alone are a major burden within large organizations, amounting to $48.54 per employee per year, says Chip Gliedman, vice president of research at Forrester Research. The real value, however, may not so much be in the hard cost savings of password-reset technology, but in the improved customer satisfaction it engenders.

"Don't forget that users can only reset their passwords if they have access to the network," he says. "Often companies end up still servicing password requests because users can't access the very network to which they're trying to reset their password."

As for creating user accounts, IT architects contacted for this story report spending between six and 17 minutes per user. At the Maine Medical Center, an organization of 6,000 regular employees, IT staffers were creating between 20 and 60 accounts a week involving changes to the phone system, payroll system, and all the medical center's applications, says Denis Tanguay, manager of network systems support at the hospital. Previously that took about one man-day per week. He expects to bring that down to a few hours per week with enterprise provisioning.Automating user account creation meant OhioHealth could reallocate its resources. "We eliminated one position responsible for creating user accounts, and I hope to use the funds to hire a security architect," says Mary Jo McElroy, vice president of information services at OhioHealth.

Streamlining IT operations may also mean other benefits. McElroy notes that the company's bond rating improved when it implemented the provisioning system, reflecting a lower investment risk.

INTEGRATION WOES

The gamble, good enough for IBM, appealed equally to nearly every major systems, network management, and software vendor. BMC, CA, HP, Novell, Oracle, Sun, and others subsequently gobbled up IdM companies. Today their suites include technologies from the four major IdM areas: user management, auditing, authentication, and authorization (see "Wrapped Suites" ).

However, three years after IBM's introduction of the Tivoli Identity Management Suite, enterprises are still waiting to realize the administrative benefits that were supposed to accompany the suite. "The promise hasn't materialized in large part because vendors have taken longer to integrate their offerings than expected," says Gerry Gebel, senior analyst at the Burton Group.IBM still doesn't use a common workflow engine within its suite. While Sun has integrated some of its offerings (including a common console, role model, and user administration) since its acquisition of provisioning vendor Waveset Technologies, it still has more integration work ahead of itself, writes Mike Neuenschwander, associate research director at Burton, in his report "Identity and Privacy Strategies."

CA and HP are also "struggling" to meet their announced deadlines for component integration, notes Neuenschwander. CA only shipped its Identity Manager, which integrates the company's own provisioning technology with Netegrity's, in December. The identity product uses a different workflow system from other CA products, though the company does offer an interface between the two.

HP still has its work cut out for it with its November acquisition of Trustgenix, another enterprise provisioning vendor. Oracle is likely to face the biggest challenge given its acquisitions, the latest being that of Oblix and Phaos Technology.

In short, vendors underestimated the challenge of integration. "Given the difficulty of integrating suite components, vendors are finding it more cost-effective for now to integrate only the components that bear significant affinities," writes Neuenschwander. He points to authentication and authorization features as one example.

TOUGH CHOICESThe lack of suite integration puts IT architects of midtier companies in a quandary. Should they purchase suites from brand-name suppliers, or select best-of-breed products in each category from suite vendors and start-ups? The answer isn't obvious.

Organizations rarely need every function offered in an IdM provider's suite. The architects contacted for this story resoundingly backed enterprise provisioning and auditing tools for compliance. All were bullish about technologies off-loading password resets from the help desk, but many already implement those applications internally. Directories, federation, and strong authentication technologies were less popular.

Given that individual technologies are readily available, architects could arguably cut a sweeter deal with the roughly 20 independent provisioning vendors in the market. Deployment times will be lengthy in any case, with at least one architect of a 6,000-user IdM system citing a deployment cycle of six months.

IT can take steps to minimize those problems. Job one is getting the house in order. "Only after the processes have been better optimized and the controls identified can enterprises leverage automation for additional benefits," says Greg Bell, partner in the Advisory Services, Information Risk Management practice of KPMG.

But improved processes only cut it so far. More so than the technology or improved organizational processes, sufficient expert assistance from the integrator or reseller is key. Maine Medical Center's Tanguay found that out the hard way when his integrator allocated one "whiz kid" to his project, and not the two or three technicians needed to complete the job.Even when the integrator finishes the job, architects can still encounter interoperability problems between new application releases and the connectors written by the ISVs. One major software company that had been a long-time user of Business Layers' provisioning system (later acquired by Netegrity and then CA) found that upgrades to Active Directory would routinely crash the Business Layers system software. The company is now looking for a new system.

The same goes for another major health care-related company, which experienced extensive problems with the connection between its Sun Java System Identity Manager, Sun provisioning system, and Domino. The company found that Domino couldn't keep pace with the Identity Manager when importing users en masse (a common step during mergers and acquisitions).

In theory, these sorts of problems can be addressed through the Service Provisioning Markup Language (SPML). The standard allows provisioning systems to communicate with one another and with target applications. Application vendor support for SPML would obviate the need for connectors.

In practice, however, SPML adoption is slow. According to Burton's Gebel, that's in part because the first version of the standard couldn't support complex data models, and in part because the market has yet to demand support for it. "It's a classic chicken-and-egg problem," he says.

There's a good side to all of this. Invariably organizations will run homegrown systems or point products that can serve as test cases for selecting IdM solutions. OhioHealth, for example, used an application written in MUMPS to test its provisioning system. "It's very hard to work with," says the health care provider's McElroy of the application. OhioHealth was able to narrow its selection down to five vendors: CA, IBM, Novell, RSA Security, and Courion.They selected Courion's Enterprise Provisioning Suite, a group of application that span account provisioning, password reset and synchronization, digital certificate registration, and profile management. A major reason for selecting Courion was its ability to quickly adapt to arcane applications, in the case of OhioHealth that meant working with legacy application based on the MUMPS environment. "By provisioning users effectively across the entire organization, we’ll be able to focus on automating our business and auditing processes to instill best practices around access and identity management," said Mary Jo McElroy, senior vice president of IS, OhioHealth.

A BUYER'S MARKET

At the same time, many of these same companies--namely BMC, CA, HP, and IBM--are trying to become the supplier for your company's core configuration management and IdM databases.

Controlling those databases, says Forrester's Gliedman, allows them to get deep into the management of the company's structure, opening the way for numerous cross-selling opportunities.

It's no surprise, then, that IdM suite vendors are aggressively chasing the market. IT architects report that providers are discounting their bids by as much as 50 percent off the original offer without much pressure. They've pointed to IBM in particular, which has been low-balling its RFP responses (yes, that's right, IBM). Meanwhile, Sun has moved to an open-source licensing model."These vendors are just desperate to make a sale," says Jonathan Fields, director of IT at one software company. Fields is in the middle of an RFI on IdM technologies.

To capture more of that market, vendors are also introducing over the next six months tweaked versions of their suites that are easier to deploy and more appropriate to midsize enterprises. This month, for example, IBM will release an "Express" version of Tivoli Access Manager (TAM) that will provide what IBM calls "request-based" provisioning for midsize enterprises.

Under this model, once the HR system passes new employee data to the provisioning system and the new users are added to the system, managers can then use the software to request privileges for their employees. By contrast, role-based provisioning, available in IBM's full-blown version of TAM, allows for those resources to be automatically allocated to the user without any interaction with the individual. IBM will offer TAM Express at one-third off the price of TAM.

BMC is also in the process of beefing up its midtier offering. The company released its Identity Management Suite 5.0 last October. The software targets provisioning in the largest enterprises, particularly those built around Java technology and using WebSphere or WebLogic application server platforms. BMC also has Identity Management Platform for .NET, technology it acquired when it purchased OpenNetwork Technologies in March 2005. The Identity Management Platform for .NET is targeted at Microsoft-centric shops and augments the Microsoft Mobile Information Server (MMIS), which offers some basic identity management capabilities.

This quarter Novell is expected to release Designer, an Eclipse-based front end that allows IT to graphically configure complex IdM systems with drag-and-drop tools. Using Designer, Novell says architects can model "what if" scenarios prior to deploying systems in production. In addition, Designer can automatically generate detailed documentation about policies and approval workflows to be used in compliance initiatives. It can also support reusability to reduce deployment time on new policies and workflows.Similarly, Sun will release a new version of Business Process Editor (BPE), its graphical interface for designing and implementing workflows and rules. The next generation of BPE aims to enable non-technical audiences, such as security analysts tasked with designing, testing, and implementing security controls, to create rules and workflows.

How well these provisioning tools adapt to the needs of midsize businesses is another matter. Increasingly, IT must assign more than application rights to people. They also need to assign objects such as phones, laptops, credit cards, pass cards, and the rest of an employee's business tools. Large enterprises may have the luxury of using discrete systems for these functions, but midsize enterprises will appreciate a common system to manage all those devices.

Today's IdM products manage such items in varying degrees. Sun, for example, requires customization and will make object templates part of version 6.1, which will be released this year, says Andy Land, product line manager for identity management within Sun. On the other hand, CA doesn't provision objects.

CA points out that its technology is unique in that its robust delegation model enables organizations to delegate the administration of users to those closest to the user base. This could be the local departmental manager, another business unit, or an external party such as a partner. However, other suite vendors claim similar functionality, and it's unlikely that midsize businesses will want the thousands of tiered support that such a product can offer.

The major advantages of HP's IdM suite may also not apply to midsize enterprises. The company's Identity Manager, for example, is particularly targeted at virtualized data centers. It provides a unique concept of services or groups that, according to Sai Allavarpu, HP's director of product management and marketing for identity and security solutions, makes maintaining many servers much easier. However, such a problem is most commonly experienced only by the very largest enterprises.THE FUTURE

Ultimately, the strongest argument for IdM suites may be in their ability to extend the technology into the rest of the IT infrastructure. As the provider of reliable identities, IdM suites should be able to resolve the security and trust concerns inhibiting online business transactions and remote data access--the two functional requirements that permeate much of today's business.

How such technology is conceived and implemented depends on the vendor's orientation. All vendors are looking to provide access to imbedded IdM for applications, though few are as well-positioned as Oracle. The company's acquisitions of PeopleSoft and JD Edwards, factored in with its own product line, puts it in the unique position of being both an IdM leader and an application infrastructure leader. The company aims to incorporate IdM into its applications as part of a larger process that will integrate the three different product sets. This process, dubbed Project Fusion, is expected to extend out to 2013.

As part of that effort, Oracle will build authentication services into its IdM software. The software itself will combine technology from its acquisitions of Oblix, OctetString, Phaos, and Thor Technologies, along with its own product set.

Once finished, the IdM products will use the same business process engine used in workflow and orchestration tools. In this way, business process tools used for modeling business applications will also be able to model new employee provisioning. Oracle applications, which previous only worked with Oracle's own directory, will also work with Fusion and, by extension, just about any LDAP directory.

Oracle's success is hardly guaranteed. The integration work the company faces is enormous. IT has a burning need for IdM technologies and can't be expected to wait seven years before realizing the full benefits of a platform. Even then, today's environment involves non-Oracle applications such as SAP. How these products will fit into the Oracle strategy is unclear, although the company will most likely resort to using connectors just like everyone else. Finally, as Burton's Gebel notes, most of Oracle's acquisitions weren't market leaders. Still, the company claims to have 250,000 total customers--plenty of opportunity to bundle identity products into e-business, collaboration, and database solutions.

Meanwhile, competing IdM suite providers are continuing to tie their offerings into the underlying application server and management infrastructure. BMC isn't alone in this matter. IBM's IdM is also integrated into its WebSphere platform.

Executive Editor David Greenfield can be reached at NetMagDave across every major IM system, or, if you must, via e-mail at [email protected].Wrapped Suites

Today's IdM suites consist of products spanning four areas: user management, auditing, authentication, and authorization. User management technologies involve the creation and storage of user profiles. Enterprise provisioning systems allow organizations to automate the configuration of user identities across corporate databases and applications. Examples of provisioning systems include Oracle's Xellerate Identity Provisioning, IBM's Tivoli Identity Manager, CA's Identity Manager, BMC's User Administration and Provisioning, HP's OpenView Select Identity, and Novell's Identity Manager 3.

These products involve a data repository for storing provisioning information, a workflow engine for carrying provisioning requests and responses to and from applications, and connectors for interfacing with corporate applications. Two years ago, provisioning systems jockeyed for bragging rights in part based on whether those connectors used an agent or agentless architecture. Agent-based architectures place software on the application servers to allow the enterprise provisioning system to interact with the targeted application. Agentless designs provide a similar function without touching the application server. Today all provisioning systems implement agent and agentless designs, leaving IT to select the best approach.

Credentials and user passwords are held in the first component of user management, the corporate directory. This might be Microsoft's Active Directory, CA's eTrust, Novell's eDirectory, or Sun's Java System Directory. Metadirectories, and more commonly virtual directories, provide a single control point for the multiple directories characteristic of large organizations. Metadirectories copy data from other repositories into a new repository that must then be maintained and synchronized. Virtual directories, on the other hand, join information from multiple directories without building another permanent repository.

Validation and auditing technologies ensure that policies are executed properly, and that an accurate audit trail is maintained for auditors. Vendors provide specific auditing modules for ensuring compliance with HIPAA, Sarbanes-Oxley, and other regulations. These modules let IT understand who has access to what, as well as give it the ability to enforce controls over those privileges and repudiate them if necessary. The modules will also maintain historical data for auditing purposes. Auditing systems should report on privileges, roles, and activity, the last of which should be stamped with the date, time, and user details.Authentication and authorization technologies control access to services and resources on the network. Authentication identifies users and applications through passwords, biometric devices, tokens, or certificates. Authentication is necessary when access occurs within a single organization (Enterprise SSO), across organizations using federated identities, or when a company provides access to consumers though the Web (Web SSO).