Courion Corp.s Enterprise Provisioning Suite 7.2 allows IT managers at midsize and large organizations to effectively manage user access while meeting internal and external auditors demands for an accurate accounting of who is using company systems and data. eWEEK Labs implemented Courions behemoth suite of tools, including AccountCourier for user provisioning, PasswordCourier for password management, and ComplianceCourier for access verification and policy management.With the ComplianceCourier component, Courions Enterprise Provisioning Suite costs $400,000 to outfit 5,000 usersor about $80 per seat. Without ComplianceCourier, the price drops to $300,000, but the policy management component is necessary for many of the sophisticated policies we implemented in tests. Enterprise Provisioning Suite worked well in our tests, but, like other password management products, it required extensive upfront work. Over time, however, this effort should result in significantly fewer staff hours devoted to generating and maintaining access credentials, reduced error rates, increased assurance that managers are provisioning employees with the least privilege needed to perform their jobs, and easier compliance with regulatory audits. The actual installation of Enterprise Provisioning Suite was relatively easy; the biggest time sink during our tests was in developing and implementing policies to ensure that users received access to appropriate systems. More than once we had to go back to the role-based AccountCourier and tweak policies to grant or deny access to corporate data systems. In fact, IT managers should expect the Enterprise Provisioning Suite pilot phase to last several months. In addition to initial training on the nuts and bolts of how Enterprise Provisioning Suite works, we spent a significant amount of testing time connecting AccountCourier to various infrastructure components, including Microsoft Corp.s Active Directory, Computer Associates International Inc.s eTrust Directory and Novell Inc.s eDirectory. We ran the suite on Windows 2000 running on a Xeon-based IBM eServer 325. Click here to read more about identity management and directories. We used Courions Identity Link technology to connect our various directory repositories. We were able to pull user data from all these directories and then designate onein our case, an eTrust Directoryas the authoritative source for users and accounts. We also were able to create a definitive list of all users and accounts we had created, regardless of the data repository. Identity Link comes in especially handy for dealing with territorial department managers who tend to get nervous about incorporating data in a central location. During tests, we were able to leave data in the hands of local administrators while using Identity Link to ensure that all user accounts were up-to-date. eWEEK Labs also stole a trick from case-study subject SunTrust Banks Inc., which uses Courion identity management and provisioning tools: While leaving user data with local applications, we linked our network access list with AccountCourier so that all account access was denied when a user was terminated in our test environment. Thus, even users who were not provisioned with Enterprise Provisioning Suitenearly all the accounts in our test environmentwere ultimately brought under control of the product. As an added benefit of this process, we were able to get good audit reports that systematically showed that terminated users were indeed denied access to various corporate data systems, regardless of whether their individual accounts were removed from the application. Next page: Evaluation Shortlist: Related Products.
Our tests show that the workflow in Enterprise Provisioning Suite 7.2, which was released in June, makes it much easier than in previous versions of the product for non-IT staff to manage user accounts.