IAM Suites

Not Just Set and Forget

An IAM implementation involves more than buying the software and setting aside a few days to install it. It requires considerable planning and may demand consultants; we list some of the resource and identity-store information you'll need to gather in "Roll Out the Red Carpet,". All the products we tested scaled well for thousands of simultaneous users, and any will meet most enterprise needs. The major variables are the products' features and ease of use.

All the products are priced per user, and most require a minimum of 1,000 users. Per-user prices range from $20 to $50, but beware the hidden costs: All the vendors recommend consulting services. A global IAM consultant told us IAM implementation typically takes six months, and more than a year for large enterprises.

With the exception of Novell, which offers only a reverse-proxy mode, all the vendors provide both agent and proxy approaches. To implement agents, you typically install an ISAPI/NSAPI filter on each Web server that will be part of the IAM infrastructure. In the long run, an agent approach might require extra maintenance, but it will provide more granular control. On the other hand, a reverse proxy, which is placed between the client and the Web servers, requires no server modifications. It's a good choice for shops using a Web server for which the vendor doesn't offer a Web agent, such as older versions or unsupported platforms. In addition to required changes in the network configuration, performance could be a problem with a reverse proxy unless you use a redundant/load-balanced architecture, because all traffic must be routed through the proxy rather than distributed across many servers.

Our Impressions

HP became a major player in the IAM market with its 2003 acquisition of Baltimore Technologies' Select Access identity-management product. Select Access won our Editor's Choice award in this review, with Novell a close second. Select Access offers a competitive feature set and a management interface second to none. With most products, we spent days trying to configure and implement tasks that with Select Access were quick and easy.

Although we found Novell's package comprehensive and powerful, it requires multiple Novell products and would be a big step for a non-Novell shop; several admins would be needed to maintain the Novell IAM installation. RSA's ClearTrust, on the other hand, is easy to use and would work well for organizations with staff programmers who like to tinker. However, though ClearTrust has most of the core features of an enterprise IAM suite, it lacks out-of-the-box support for multiple identity stores, something organizations should demand--especially since ClearTrust is among the more expensive products.

We were not impressed with Entegrity's AssureAccess. It doesn't support the latest OSs or Web servers, and it lacks many of the features found in rival products, notably money-saving user self-service features, such as password resets. To see what the other IAM products offer in self-service functionality, see "IAM Suite Features,".Select Access is simple to manage and supports all the IAM features we sought. We used the Select Access setup tool to install agent plug-ins on all the Web servers we wanted to protect. Unlike other products tested, Select Access doesn't offer its own reverse-proxy server; however, it does support third-party products. Select Access uses an administrative service to set up and store policies, and a validator service to authenticate administrators and users. Although it's common to set up a single administrative service, we could set up multiple validators to provide redundancy in case the primary server failed.

We administered Select Access through its Policy Builder, a Java GUI that launched in a Web browser when we logged on to the administrative site. This interface is the best of those we looked at. Its use of a visual policy matrix to map relationships between organized trees of users and resources is simple and intuitive.On the user tree, we easily added our Active Directory and Sun One Directory. Within each directory, we viewed users, groups and roles. Creating a new role is as simple as right-clicking on the directory and picking the user attributes that define that role: For example, we set up a role so that users who had booked sales greater than $100,000 would have access to a resource. We could create custom rules by dragging and dropping appropriate icons onto a chart and then configuring their values. These icons represent common restrictions, such as network address, time of day, IP address, port, attributes and encryption level. Lastly, self-service was a snap to set up--we simply specified which attributes users should be allowed to edit.

Select Access comes with a network-discovery tool that populates the resource tree list with available resources and services. At first we thought this would be quite useful, but a consultant who has used this product in the enterprise explained that's not so usable with hundreds or thousands of resources, because it will list every directory and file rather than grouping them, as an administrator would likely do.

The tree also has an administrative branch, which let us effortlessly use the policy grid to assign rights to users, groups or roles. This branch lists attributes, functions, network management and user management, and let us delegate administrative rights for all these tasks in any combination.

By default, all users inherit their permissions from their parent objects. To create exceptions or special cases, we used the group view to locate the desired user and simply checked a box in the grid. With thousands of resources and users, the grid can be difficult to read, but it does give a complete schematic of the infrastructure.

HP OpenView Select Access 6.0. Hewlett-Packard Co., (650) 857-150. www.hp.com

Novell's iChain is the only product tested that we would call a soup-to-nuts offering; it encompasses identity storage, identity management and access control. The system we installed used iChain to control access to our Web resources while integrating all our data repositories using DirXML. Management was performed via iManager and ConsoleOne, with eDirectory serving as the central data repository for user and configuration information. While the other vendors sent one technician to our labs, Novell sent four, each with expertise for one of the above products. This turned out to be a sign of things to come--the Novell products didn't always work as a whole as well as we would have liked.As the name suggests, NDS eDirectory is a directory service--essentially NDS detached from NetWare. In addition to storing user data, it can manage information on applications, network devices and other data, such as configuration information for DirXML. EDirectory supports LDAP and scales to store millions of objects. After setting up eDirectory, we imported all our users from Active Directory. It would have been nice if we didn't have to change directory stores, but the DirXML component required us to port these identities to eDirectory.

Few organizations are lucky enough to have all their identities in one repository, which is where DirXML comes in handy. Using DirXML communication drivers, we could share and synchronize data between eDirectory and other applications, including SAP, PeopleSoft, Lotus Notes, Microsoft Exchange, Microsoft SQL Server and Active Directory. EDirectory remains the master directory and synchronizes with the others, but data must reside in the master directory for this to happen. The drivers indicate when a change in data occurs in any of the identity stores and propagates the information across the repositories via configurable filters and policies. Filters indicate which information will be used, while the policies indicate what should be done with that information. We set DirXML to use eDirectory as the authoritative repository for passwords. When a change occurred in eDirectory, our policy propagated the change to Active Directory and SQL Server. However, our policy stated that a change in the password within Active Directory or SQL was overwritten by the value in eDirectory.

DirXML is configured through iManager, Novell's Web administration console. The interface for DirXML consists of a visual representation of drivers, filters and policies. Clicking on these launches the appropriate configuration forms. The interface is user-friendly enough to let us configure and edit simple options without much training; however, properly installing and maintaining the infrastructure is not trivial.

DirXML is extremely powerful, and we wish other vendors could incorporate it into their products. However, at this time DirXML can only be used with eDirectory. Perhaps Novell will realize the potential of this product and open it up for third-party integration.After setting up our policies, we moved on to iChain, a reverse-proxy server used for access control. As we mentioned, Novell is the sole product to use a reverse-proxy server rather than an agent model. We had to reconfigure our network to allow access to protected resources only through the iChain proxy server, something that could be very difficult in a large, complex or distributed enterprise environment. To get the iChain server up and running, we just entered the location of our authentication server and its ISO (iChain Service Object), which is a configuration file for iChain. The ISO contains information on the resources to be protected and the rules for granting access to those resources.

The ISO is stored in eDirectory, and we used the iChain snap-in for Console One to set up and configure an ISO for our IIS and Apache Web servers. We granted and denied access to various resources by setting up static or dynamic ACLs. The dynamic lists can be based on the values of user attributes within eDirectory. We hope Novell plans to integrate iChain with iManager, which would allow all configurations from a single location.

Novell iChain 2.3. Novell, (888) 321-4272, (781) 464-8000. www.novell.comClearTrust uses an agent model consisting of three components--the dispatcher, authorization and entitlements services--that all run on one server. The authorization service makes policy decisions, the entitlements service provides the interface to the identity store, and the dispatcher maintains session keys between the components. In a typical scenario, when a user tries to access a protected resource, the agent checks to see if the user is logged in; if not, a login form is displayed. Once the user is logged in, the agent connects to the authorization service to verify that the user is authorized to access the resource. If the authorization service has this information in its cache, it returns the appropriate permission to the agent directly. If not, the authorization service communicates with the entitlements service, which retrieves the information from the identity store.

We installed the RSA ClearTrust agent on each of our Web servers that needed restricted access. On IIS, the agent was implemented as an ISAPI filter, as was the case with most products we tested. RSA supports most common Web servers, and unsupported servers can be secured by providing access through RSA's ClearTrust Access Control Module (ACM), which is a reverse-proxy server.

Unlike Novell's iChain, ClearTrust doesn't support multiple identity stores out of the box. RSA recommends that an organization consolidate its identities in one location. This might be a best practice, but it's not within the realm of reality for many enterprises. RSA says ClearTrust doesn't aim to manage identities across several different directories; if this were an organizational requirement, it would team up with a third party to provide this component. RSA's identity application does provide self-service, self-registration and password reset, but this is also not part of its core technology. Rather, RSA gains these user-management features through a partnership with Thor Technologies.ClearTrust's administrative interface is Web-based and runs on BEA WebLogic or Tomcat. The interface, which consists mainly of resources, administrators, users and entitlements, is intuitive and well-organized, letting us select users and easily grant them access to resources. We also used RSA "smart rules," which let us provide access dynamically based on user attributes rather than on only assigned roles. Although our attempt to create a custom extension module that would grant access based on information in our MS SQL repository fell prey to the limited time we had to tinker with the products, with the right consultants or programmers ClearTrust is quite customizable, boasting nearly 300 APIs for Java, C, DCOM, JAAS, XML, SOAP and others. This will not be a selling point for organizations that use only a single identity store or are willing to consolidate their information; however, companies that use several identity stores may need to keep programmers on staff to handle some access-control issues.

Other notable ClearTrust features are delegated administration and federated identity management. For delegation, we created roles to be applied to distributed administrators. We could use the roles to define whether an administrator had the authority to add, edit or delete other administrators, users, groups, applications, servers, passwords, roles and properties. Although we didn't do any testing using ClearTrust's federated identity management component, the product does support the latest SAML standard. Finally, we were less than ecstatic about ClearTrust's reporting, which consisted of permitting the export of a CSV file; ClearTrust needs more detailed report options.

RSA ClearTrust 5.5.2. RSA Security, (877) 772-4900, (781) 515-5000. www.rsasecurity.comSiteMinder and IdentityMinder together provide a complete IAM package. SiteMinder is Netegrity's access-control product, while IdentityMinder is used for identity management. Like most of the products we tested, SiteMinder protects Web resources through the use of agents installed on the protected Web servers. For unsupported Web servers, SiteMinder offers a reverse proxy server.

We installed agents on our IIS and Apache Web servers, which we set up to communicate with SiteMinder's central policy service. All policies, agents and authentication schemes are configurable on the policy service. When a user attempts to access a protected resource, the agent intercepts the request and presents the user with a credentials form. These credentials are passed to the policy service, which verifies them against the identity store and then grants or denies access based on the policies in place. When a user is granted access to the resource, SiteMinder can pass user profile information, through HTTP headers, to the secured Web application to enable the customization of content.

SiteMinder is controlled through a Web interface, which launches a Java applet. At first, we were comforted by the interface's similarity to the MMC (Microsoft Management Console). However, we soon realized that we needed to study Netegrity's security model and learn a new vocabulary--with terms like realms, policy domains and identity environments--before we could configure anything. Although this isn't necessarily a bad thing given the complexity of the technology, Netegrity's interface was the most difficult to manage. For example, though the configuration interface has a help button, it didn't always lead us to relevant information, forcing us to search in more than one place before we found what we needed.Using SiteMinder, an administrator can configure one or more Policy Domains. For our tests, we created a single domain, which contained our realms, policies and administrators. A realm is a group of related resources that must be secured. We configured a realm with several folders on an IIS 6.0 Web server as the resources to be protected and assigned an "authentication scheme" using Active Directory as the identity data repository for authentication.

SiteMinder supports several authentication schemes, including HTML forms-based authentication, digital certificates, token authentication and custom-built authentication libraries. We defined a numeric "protection value" from 0 to 1,000 for each authentication scheme. Thus, different realms within our domain could require different protection levels. Users logging in with basic form-based authentication would have single sign-on to all realms of equal or lower protection levels, but might have to reauthenticate using a token if they wanted to access a realm with a higher protection level.

Within a realm, we could set up rules, responses and policies. A rule indicates which actions are permitted for a given resource; responses define the action that should be taken when a rule is triggered; and policies tie rules and responses together. In addition, policies could be used to place time- or IP-address-based restrictions on the resource. We were happy to see that SiteMinder supports multiple user stores (directories or relational databases) and lets administrators specify the order in which they are to be searched when a user logs in. Finally, with its latest releases, Netegrity (which is actively involved in the Liberty Alliance) supports both inbound and outbound FIM.

IdentityMinder also employs a Web administration interface, which uses HTML forms instead of Java applets. We could configure directories, environments, work flows, tasks and roles. An IdentityMinder environment is another term we needed to study before we began testing. It's defined as a customized view of a directory, so while a given directory may be associated with several environments, each environment uses a single directory.

In addition, IdentityMinder supports delegated administration and self-service. As with other products, we set up a work flow that automated the approval of new identities. And as if there isn't enough to learn within the product, custom applications can be developed using IdentityMinder's APIs.SiteMinder is a proven, reliable product that that has a tremendous amount of options and a straightforward way to do basic access-control functions. Organizations can use SiteMinder without IdentityMinder--something we appreciated, as IdentityMinder is complex. Note to Netegrity: If you want to endear yourself to IT administrators, make their jobs easier. Focusing on better integration of the functionality and management within these products would be a good place to start.

Netegrity SiteMinder 6.0; Netegrity IdentityMinder Web 5.6. Netegrity, (800) 325-9870, (781) 890-1700. www.netegrity.comEntegrity's AssureAccess has been around as long as most of its rivals but has fallen behind in terms of overall functionality and value. For example, AssureAccess was the only product we tested that didn't support IIS 6.0 or Windows 2003 in any capacity and the only one that didn't perform identity management out of the box.

Entegrity refers to its agents as "adapters." Adapters are available for most well-known Web and application servers, plus the truly ambitious can create custom adapters using the available APIs. The three components required for AssureAccess are an audit service, an authentication service and a management-console service. The management console connects to the identity store for product configuration.

Unlike its rivals, which had Web-based management consoles, Entegrity's Management Console is a locally installed Java application, so we had to log in remotely, via terminal services, to manage the product from an outside location. In the process of installing it on our Windows 2000 Server, we were surprised to find that though AssureAccess supports most LDAP directory servers, the installation program configures only iPlanet automatically. We followed the documentation and without much aggravation manually configured Active Directory to add the classes and attributes required by AssureAccess.

The user interface is designed with a domain tree on the left. Selecting an object in the tree displays the appropriate configuration options on the right, with a useful context-based help panel below. The security model consists of a root domain, which can contain one or more subdomains. Subdomains inherit their default properties from their parents, a scheme that's helpful for configuring complex environments.Within the domain tree are folders that contain several options, including protected resources, authentication profiles, policies, configurations and user repository connectors. AssureAccess has four types of policies: authorization, audit, authentication and administration. Once we created our policies, we could apply them to the appropriate resources and domains. One example: For a particular resource, we wanted to dynamically grant access to all users with the title of "manager." To do this, we had to first create an authentication policy that added the user's "title" to the attribute certificate generated when a user logs in. Then an authorization policy was created to grant access based only on that attribute.

It's interesting to note that while all policies are managed centrally, they are enforced by the locally installed adapter. There is no central authorization service, as was common in the other products. Thus, changes in policy take effect only when the adapter refreshes its policy cache at an interval that administrators specify. We also could force an immediate update of all the policy caches by selecting "send update" from the management console.

AssureAccess. Entegrity Solutions, (800) 525-4343, (603) 882-1306. www.entegrity.com

Jeffrey H. Rubin is a senior instructor with the School of Information Studies at Syracuse University and president of Internet Consulting Services.

Ravind Budhiraja is a Web administrator for the College of Law at Syracuse University and a consultant with Internet Consulting Services. Send your comments on this article to [email protected].Juniper Networks and Imprivata both offer identity and access management in appliances rather than software. After examining these devices and speaking with the vendors, we determined that they didn't meet all the prerequisites for our review.

However, appliances are an excellent alternative for companies that don't have the time or money to invest in a large-scale IAM infrastructure, because they're nonintrusive and typically don't require changes to an organization's servers.

Both vendors said some customers use an appliance along with a full IAM package, because appliances typically offer more of a security-based approach than straight identity management, plus additional access control to files or applications.

Imprivata offers a self-contained SSO appliance called OneSign (pictured). The device's Automated Profile Generator is quite impressive; however, the product requires that every desktop contain an agent that communicates in the background with the appliance. And though the device does offer the convenience of SSO to end users, administrators still must address resource allocation.

Juniper's NetScreen Secure Access attacks access control from a security viewpoint. The appliance is a hardened security gateway that can provide access to all types of resources without having to duplicate or alter existing servers or clients. NetScreen's view of endpoint security provides for granular control across all networked resources. For a closer look, see "NetScreen's IVE 4.0 Centralizes VPN Management,".We invited technicians from the five vendors whose products we tested to our Syracuse University Real-World Labs®, where they assisted us in installing and configuring each software package. In the enterprise, installation and configuration would take place over the course of several weeks after much planning by the user organization and the vendor. In our case, we provided each vendor with detailed info on our lab environment and requirements ahead of time to expedite the process.

Our test bed consisted of six Dell PowerEdge 2650 dual-Pentium 3 933-MHz servers, each with 1 GB of RAM. Our domain controller ran Windows 2003 Enterprise Edition with Active Directory, Internet Information Server (IIS) 6.0 and a SQL 2000 database server. We then added two Windows 2000 servers, both running IIS 5.0, and one running Exchange Server 2000. Our objective with the Exchange server was to integrate the products under test with OWA (Outlook Web Access). A fourth server ran Red Hat Linux Enterprise Advanced Edition 3 with an Apache X Web server and a MySQL database. The remaining two servers were left open for vendors to install the OS and software of their choice.

The Windows-based Web servers hosted ASPs (Active Server Pages) that connected to our Microsoft SQL 2000 server to provide authentication components and dynamic content. Our Unix server hosted PHP content that connected to our MySQL database, which also provided authentication components. We imported 20,000 users from an LDIF file into both Active Directory and a Sun One Directory.

For testing, we set up various protected resources and policies within each product and attempted to access them from a standard Web browser. We then created various roles, user groups and policies, and granted or denied access to specific users. We also took delegated administration and self-service features for a spin. This let us test the actual features and familiarize ourselves with the management interface, to gauge how easy it would be to operate on a day-to-day basis in a real-world environment. Finally, we tested some of the software's noteworthy features, such as federated identity management support and report-customization capabilities, which played a role in our overall evaluation.

Sun Microsystems didn't participate in this review because of its recent acquisition of WaveSet, which the company hopes will garner it a bigger share of the identity-management/provisioning marketplace. Sun also says it hopes to position itself as a full-service provider by offering a complete package of directory server, Web access-control and identity-management products.The first piece of that package, Sun's Identity Manager, will provide user provisioning, synchronization and password self-service, and will integrate with any directory store, the company says. Rollout is slated for this month.

The second piece, the Sun One Directory Server, is already a market leader. The latest enterprise edition comes bundled with extra security, failover and load-balancing services. In addition, similar to Novell's DirXML, Sun says it will be able to sync data between disparate directory stores.

Finally, Sun's Access Manager provides single sign-on, Web access control and federation. Sun says it uses an agent-based model (as do most of the products we tested), because it believes this approach will scale better.

Of the three pieces, Access Manager needs the most work. That's where Sun plans on making large investments in the near future.

In our reader poll, respondents who said their companies had implemented IAM were evenly split between those who bought their identity- and access-management apps from a single vendor and those who took the best-of-breed approach. Sun's game plan with the WaveSet acquisition is to bring more enterprises into the single-vendor camp.

R E V I E W

IAM Suites

Sorry,
your browser
is not Java
enabled

Welcome toNETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon

above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.