Identity and Access Management

Decision, Analysis and Resolution (DAR) for an enterprise wide identity and access management

program for Arizona Department of Education

Objective evaluation of multiple identity and access management systems that are being used in the industry

November 10, 2011

ADE Needs

Situation Open audit findings related to user access

security (Common Logon) Highly manual and often inconsistent process

for user provisioning The burden of complexity on IT, which must

manage identities across heterogeneous systems

High help-desk costs associated with password resets and support.

Identity Challenges

Loss of end-user productivity because users cannot manage the routine aspects of their own identity and access

Lengthy development time for identity management customization because existing developer interfaces require specialized knowledge

Security gaps and risk to the business due to noncompliance with internal and external regulations

Maintenance Challenges

Managing identities across systems Costly Time-consuming

Costs and time grows exponentially as Number and types of users increase Number of services and systems grow Complexity of systems and applications

increase Regulatory demands increase

Proposed Solution

Secure Remote Access

Well-managed Identity

SSO and Federation

Provide well-managed, common identity infrastructure

Enable interoperable access across networks

Authentication and authorization

Built on Active Directory

Evaluation Approach

The team established guidelines to determine which issues should be subjected to a formal evaluation process, then applied a formal evaluation process to these findings

establishing the criteria for evaluating alternatives identifying alternative solutions selecting methods for evaluating alternatives evaluating the alternative solutions using established criteria and

methods selecting recommended solutions from the alternatives based on the

evaluation criteria

System Criteria

Evaluation criteria provided the basis for evaluating alternative solutions. The criteria was ranked so the highest ranked criteria exerted the most influence on the evaluation.

Ability to integrate with current user base on Active Directory

Flexibility and long-term support Ease of deployment

Identity and Access Management tools

Three identity access management tools were shortlisted to evaluate ADE needs Microsoft Forefront Identity Manager (FIM)

2010 Computer Associates Identity Manager

(CAIM) Oracle Identity Manager (OIM) 11g

Gartner Report

Gartner Research Report: 2010 magic Quadrant for User Provisioning

Leaders Oracle CA Technologies

Challengers Microsoft

Deployment

Microsoft FIM is an Identity Management system based on existing Microsoft software platform. It is a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments.

Computer Associates Identity Manager provides out-of-the-box connectors for Active Directory.

Oracle Identity Manager 11g is a highly flexible and scalable system built on Java EE architecture. It leverages Oracle Metadata Services (MDS) for a reduction in customizations and provides a simplified development, configuration and deployment.

Integration with Active Directory

FIM offers a fully integrated BI solution for operational analytics and dashboard

CAIM core competency is to integrate with Active Directory

OIM supports LDAP identity repository and web services exist for Active Directory integration

Flexibility

FIM has an advantage of leveraging the Microsoft stack of products

CAIM is easily integrated with Microsoft products

OIM is built on open architecture to integrate with existing software and middleware

Road map

FIM upgrades versions every 3.5-4 years, with service packs between releases

CAIM does not have a clear road map for upgrades or long-term strategy

OIM upgrades versions every 3-5 years, with service pack between releases

Cost

FIM is the least expensive at $ 4,319 server license cost with unlimited external users

CA Technologies proposed a suite of products to be implemented over 2 years

$ 52.25 per user license costs based on 4,000 users for $209,000 total

CA installation costs of $ 624,000 (recommended) $ 41,800 Annual maintenance starting year 3

Oracle IM suite is a total licensing cost of $326,600 Internal User license $ 95 each (minimum of 2,000) External User license $ 12 each (minimum of 5,000) Processor licensing - $ 85,800 each (2 required)

Maintenance

All the Enterprise Resource Planning (ERP) systems have an annual software maintenance fees in the range of 18-25% of its original software costs

Annual maintenance covers software updates as well as new version releases

Maintenance is included in the forecast for next seven to ten years of a typical software life cycle

Resolution

FIM is the best option for ADE. It has a defined road map as well as excellent interface to the Microsoft software platform. It is the most cost effective product.

CAIM has fewer features and is the most basic system reviewed.

OIM is a strong product, but not as easily integrated into a Microsoft based environment. The overall licensing, support, and integration cost for Oracle make this the most expensive product reviewed.

  Score (1-5)  

  Weighting FIM Weighted

Score CA Weighted

Score Oracle Weighted

Score  

Decision Support Comments

Integration 5 5 25 3 15 2 10 How well will it fit into our current environment?

Flexibility 5 4 20 3 15 5 25 Scalability and functionality.

Deployment 4 4 16 3 12 3 12 How quickly and easily can we deploy?

Road Map 4 4 16 3 12 4 16 Future enhancements and product updates.

TOTAL 18 TOTAL 77 TOTAL 54 TOTAL 63  

Costs                

Pricing/hours 4 5 20 2 8 3 12Pricing base on per user license and module cost, if applicable

TOTAL 4 TOTAL 20 TOTAL 8 TOTAL 12  

Resource / Skill Set Availability  

Technical expertise 5 4 20 3 15 2 10 Resource availability (Local vs. Non-local)

TOTAL 5 TOTAL 20 TOTAL 15 TOTAL 10  

               

Suitability Rating     117   77   85

Ranking     1   3   2

* Supporting Documentation located on Team SharePoint site

Weighted Criteria Matrix

FIM Solution

Key Benefits Empowers people to accomplish self-service

identity tasks Delivers agility through automation, self-

service, and extensibility Increases security with management across

identities, credentials, and resources Introduces "codeless provisioning“, allowing

changes to be rapidly implemented without reprogramming solutions

Recommendation

Base on the Assessment Matrix, Microsoft FIM is the recommended solution for ADE Identity and Access Management solution.

Microsoft FIM would provide the core applications needed as well as strong interface into the other Microsoft products currently used in the Department. The overall licensing and implementation costs are also the lowest.

CAIM would more easily fit into our environment, but it has fewer features at a significantly higher cost that the other products.

Oracle IM would provide a suitable core application, but would require significant integration for network services and have high impact to the current environment. The Department does not have the resource skill set and a new team would need to be engaged for deployment and on-going support.