Product Group Tests
Identity management (2009)
Great value for the money, solid capability and ease of management win Quest One Identity Solution our Best Buy rating.
Tight integration makes Passlogix v-GO Access Accelerator Suite a solid product. We rate it Recommended.
Full Group Summary
The identity of this category has been a bit blurred, covering as it does so many functions. Things seem to be firming up, though, says Peter Stephenson, with six varied products to review this month.
Identity management has been a fuzzy term, encompassing a lot of different functionality. That said, the functionality that ID management products provide has been increasing and a picture may at last be emerging of what really is meant by identity management.
This month we have reviewed products ranging from simple single sign-on to full-featured appliances that cover all of the functionality currently thought of as required for a solid ID management product. However, the nature of the functionality still seems loosely-defined: some products included provisioning, single sign-on and authentication; others added session managers and a shared account manager.
In 2007, Gartner research vice-president Ant Allan grouped identity management into: directory technologies, identity administration, identity auditing, identity verification and access management. Systems, says Allan, must exhibit administration, authentication, authorisation and auditing functionality.
The question, then, is: what really is required in an ID management system? Certainly provisioning is a must. And, for example, single sign-on has become de rigueur. Once, pundits said SSO was not practical. Today, lack of SSO weakens an ID management product that aims to be full-featured.
Buying identity management
As with any product, you really need to do a thorough analysis of your requirements. That may include determining what products you use currently that might need to integrate with the ID management system. Certainly, it is useful to compare Allan's groupings with your product choice. How are you managing identities and access control now? Are there solid policies and procedures in place that you will need to automate without losing functionality? Or, perhaps, are your policies and procedures less than robust? That can be a blessing in disguise because you can build appropriate policies and procedures to fit the products you have under consideration.
Once you understand the environment in which you will implement ID management, ask the really tough question: do you need to automate at all? All these products require some dedication to their implementation so if you don't need the functionality, don't cause yourself the pain of building a system you could do without.
Indicators to consider in ID management include size of the organisation, its geographic dispersal, and the number of applications or systems that your users need access to. If the nature of that access is disparate (ie not everyone has the same access needs), you may be a candidate for an ID management system. Wide geographic dispersal and large size are indicators, too. If you are a multinational, make sure there are no restrictions in host countries against the type of implementation you envision.
If you only need some of the functionality of a full-featured product, look closely at the software product suites. These have lots of functionality in discrete modules and can be a real bargain if you don't need the whole enchilada.
If you are starting from scratch, you may want to look at a full-featured appliance. Don't discount the software suites, though. They are increasingly complete and offer flexibility.
How We Tested
This was a straightforward month in the lab. We focused on ease of implementation and administration, because in large enterprises these two features offer the greatest challenges. User provisioning was very important as well - for those products that offered that functionality - because the closer one can get to self-provisioning, the easier the overall management of the system.
We were concerned with supportability as well. Strong support packages and a good support website are critical, because ID management is not a 9 to 5, five-day a week function. When the ID management system stops working, the company is on its knees until everything can be brought back online. In some respects, identity management represents a potential single point of failure for an entire organisation. If workers can't access network resources, the business of a modern organisation grinds to a halt. That calls for a good support structure shared between vendor and customer.
A final word regarding value for money. Ultimately, we were concerned about overall cost of ownership throughout the lifecycle. It meant that pure cost of products was only one factor in determining value.