Product Group Tests
Identity management (2007)
For full-featured identity management, M-Tech ID Synch and IP Synch were among the best that we tested. For small-to-medium-sized enterprises, the packages are intuitive enough to not create needless administrative overhead. We rate this product our Best Buy.
Full Group SummaryRecent legislation has forced vendors to up their game and, as a result, identity management products have evolved rapidly in recent times. Justin Peltier gets to grips with a varied selection.
Identity management was one of the hot-button products of 2006. For years identity management has been defined by the three As: authentication, authorisation and accounting. Products in this category confirm that a user is truly tied to the user name given, grant access to specific services based on the authentication and provide a means of logging access and authorisation.
As more best practices around Sarbanes-Oxley and other compliance laws have been implemented at organisations, the first tenet of ID management that needed updating was the accounting process. Because companies now need to maintain a more granular set of logs for longer periods of time, it became necessary to create improved logging processes.
In the US, new legislation has further expanded the role for identity management systems; which may well have a beneficial effect on this side of the Atlantic. Homeland security decrees from the federal government have meant that ID management must now also take on responsibility for proofing, registration, issuance and maintenance of individual records within an organisation.
All of this has left the entire field of identity management in a state of rapid evolution. In most cases identity management is comprised of several functions. These functions, while they don't define identity management directly, do serve to characterise it and, to paraphrase Justice Potter Stewart's famous response when asked what he considered pornography to be, we may not know exactly what identity management is, but we'll know it when we see it. These characteristics are:
1. Provisioning - the enrollment of users to the system
2. Workflow automation - movement of data in a business process
3. Delegated administration - the use of role-based access control to grant permissions.
4. Password synchronisation - creating a process for single-sign-on (SSO) or reduced sign-on (RSO). A single authentication can be used for access to all network resources.
5. Self-service password reset - this process can reduce the cost of account administration, but it must be done in such a manner as not to invalidate the security of the account
6. Federation - a process whereby authentication and permission will be passed from one system to another, reducing the number of authentication needed for the user. Often federation occurs between different organisations.
This is by no means a complete list of all of the processes that can be part of identity management. Others can be added to these core processes by the manufacturer to improve or implement additional features. Moreover, most products in the identity management
space do not implement all of these components.
When we asked for submissions to this review, we required only that the products exhibit the following characteristics:
• Password management
• User provisioning (creation of the user entity, authorisation
• Enterprise access management (for example single sign-on)
Additionally, the products had to be enterprise-centric. Each solution we tested implemented a subset of these features. Some of these offerings were tremendously complex and would be required only in the largest enterprises. These would usually require a dedicated staff to implement and manage them.
Some of the products were software-only, while others were appliance-based solutions. Some were quite complicated and were clearly intended to support large enterprises. This, of course, is the environment where good identity management systems shine, since the management of thousands of users presents a formidable task.
How we tested
For the software-only product distributions, we used Windows 2003 Advanced Server Service Pack 1 with SQL Server 2005 installed. The hardware used was an Intel Pentium 4 3.00 Ghz machine with 512 MB of RAM and a 100 GB hard drive installed. All of the latest hotfixes were applied, and several Microsoft components were present to facilitate the installation of the software packages.
We were especially attentive to ease of use, deployment and management. We were interested in how transparently the product does its job without being intrusive to the user. Finally, we looked at the functionality and how well it meshed with the six essential characteristics we described above.