identity and access management decision, analysis and resolution (dar) for an enterprise wide...
TRANSCRIPT
Identity and Access Management
Decision, Analysis and Resolution (DAR) for an enterprise wide identity and access management
program for Arizona Department of Education
Objective evaluation of multiple identity and access management systems that are being used in the industry
November 10, 2011
ADE Needs
Situation Open audit findings related to user access
security (Common Logon) Highly manual and often inconsistent process
for user provisioning The burden of complexity on IT, which must
manage identities across heterogeneous systems
High help-desk costs associated with password resets and support.
Identity Challenges
Loss of end-user productivity because users cannot manage the routine aspects of their own identity and access
Lengthy development time for identity management customization because existing developer interfaces require specialized knowledge
Security gaps and risk to the business due to noncompliance with internal and external regulations
Maintenance Challenges
Managing identities across systems Costly Time-consuming
Costs and time grows exponentially as Number and types of users increase Number of services and systems grow Complexity of systems and applications
increase Regulatory demands increase
Proposed Solution
Secure Remote Access
Well-managed Identity
SSO and Federation
Provide well-managed, common identity infrastructure
Enable interoperable access across networks
Authentication and authorization
Built on Active Directory
Evaluation Approach
The team established guidelines to determine which issues should be subjected to a formal evaluation process, then applied a formal evaluation process to these findings
establishing the criteria for evaluating alternatives identifying alternative solutions selecting methods for evaluating alternatives evaluating the alternative solutions using established criteria and
methods selecting recommended solutions from the alternatives based on the
evaluation criteria
System Criteria
Evaluation criteria provided the basis for evaluating alternative solutions. The criteria was ranked so the highest ranked criteria exerted the most influence on the evaluation.
Ability to integrate with current user base on Active Directory
Flexibility and long-term support Ease of deployment
Identity and Access Management tools
Three identity access management tools were shortlisted to evaluate ADE needs Microsoft Forefront Identity Manager (FIM)
2010 Computer Associates Identity Manager
(CAIM) Oracle Identity Manager (OIM) 11g
Gartner Report
Gartner Research Report: 2010 magic Quadrant for User Provisioning
Leaders Oracle CA Technologies
Challengers Microsoft
Deployment
Microsoft FIM is an Identity Management system based on existing Microsoft software platform. It is a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments.
Computer Associates Identity Manager provides out-of-the-box connectors for Active Directory.
Oracle Identity Manager 11g is a highly flexible and scalable system built on Java EE architecture. It leverages Oracle Metadata Services (MDS) for a reduction in customizations and provides a simplified development, configuration and deployment.
Integration with Active Directory
FIM offers a fully integrated BI solution for operational analytics and dashboard
CAIM core competency is to integrate with Active Directory
OIM supports LDAP identity repository and web services exist for Active Directory integration
Flexibility
FIM has an advantage of leveraging the Microsoft stack of products
CAIM is easily integrated with Microsoft products
OIM is built on open architecture to integrate with existing software and middleware
Road map
FIM upgrades versions every 3.5-4 years, with service packs between releases
CAIM does not have a clear road map for upgrades or long-term strategy
OIM upgrades versions every 3-5 years, with service pack between releases
Cost
FIM is the least expensive at $ 4,319 server license cost with unlimited external users
CA Technologies proposed a suite of products to be implemented over 2 years
$ 52.25 per user license costs based on 4,000 users for $209,000 total
CA installation costs of $ 624,000 (recommended) $ 41,800 Annual maintenance starting year 3
Oracle IM suite is a total licensing cost of $326,600 Internal User license $ 95 each (minimum of 2,000) External User license $ 12 each (minimum of 5,000) Processor licensing - $ 85,800 each (2 required)
Maintenance
All the Enterprise Resource Planning (ERP) systems have an annual software maintenance fees in the range of 18-25% of its original software costs
Annual maintenance covers software updates as well as new version releases
Maintenance is included in the forecast for next seven to ten years of a typical software life cycle
Resolution
FIM is the best option for ADE. It has a defined road map as well as excellent interface to the Microsoft software platform. It is the most cost effective product.
CAIM has fewer features and is the most basic system reviewed.
OIM is a strong product, but not as easily integrated into a Microsoft based environment. The overall licensing, support, and integration cost for Oracle make this the most expensive product reviewed.
Score (1-5)
Weighting FIM Weighted
Score CA Weighted
Score Oracle Weighted
Score
Decision Support Comments
Integration 5 5 25 3 15 2 10 How well will it fit into our current environment?
Flexibility 5 4 20 3 15 5 25 Scalability and functionality.
Deployment 4 4 16 3 12 3 12 How quickly and easily can we deploy?
Road Map 4 4 16 3 12 4 16 Future enhancements and product updates.
TOTAL 18 TOTAL 77 TOTAL 54 TOTAL 63
Costs
Pricing/hours 4 5 20 2 8 3 12Pricing base on per user license and module cost, if applicable
TOTAL 4 TOTAL 20 TOTAL 8 TOTAL 12
Resource / Skill Set Availability
Technical expertise 5 4 20 3 15 2 10 Resource availability (Local vs. Non-local)
TOTAL 5 TOTAL 20 TOTAL 15 TOTAL 10
Suitability Rating 117 77 85
Ranking 1 3 2
* Supporting Documentation located on Team SharePoint site
Weighted Criteria Matrix
FIM Solution
Key Benefits Empowers people to accomplish self-service
identity tasks Delivers agility through automation, self-
service, and extensibility Increases security with management across
identities, credentials, and resources Introduces "codeless provisioning“, allowing
changes to be rapidly implemented without reprogramming solutions
Recommendation
Base on the Assessment Matrix, Microsoft FIM is the recommended solution for ADE Identity and Access Management solution.
Microsoft FIM would provide the core applications needed as well as strong interface into the other Microsoft products currently used in the Department. The overall licensing and implementation costs are also the lowest.
CAIM would more easily fit into our environment, but it has fewer features at a significantly higher cost that the other products.
Oracle IM would provide a suitable core application, but would require significant integration for network services and have high impact to the current environment. The Department does not have the resource skill set and a new team would need to be engaged for deployment and on-going support.