Directories a Challenge
Directories a Challenge Novell Inc.s Nsure requires that the companys eDirectory be installed on, at least, the central console. IBMs Tivoli identity and access management platform can work with a wide variety of directory services, and Computer Associates International Inc.s eTrust family can also use various directories. But the fact remains that integrating any of these identity management frameworks is no small task.IT managers should evaluate the time it takes to do adds, moves and changes to the directory to set a base line for the potential return on investment of identity management tools. Another factor to consider in calculating ROI is the cost to reset a forgotten password. A common figure bandied about is $45 per lost password. Organizations can determine this figure by basing it on the wages of the locked-out user and the help desk staffer, plus lost productivity, plus the cost of a help desk transaction. Get a report from the help desk on the number of password reset calls handled per year to figure the total cost per year. However, the cost of an identity management system does not relate solely to the cost of password recovery. All the systems eWEEK Labs evaluated for this report also help manage the removal of an authorized user, a process that is often time-consuming and prone to error. The user provisioning tools we analyzed should significantly reduce the amount of handwork and, consequently, the error rate of this process. We began our identity management evaluation by looking at products that were the quickest to implementthe point solutions that handle only password management. Passlogixs $69-per-seat v-GO SSO is a single-sign-on product that is preconfigured to work with most common applications. v-GO SSO monitors user log-on activity, then takes over the process. At the same time, the product can be configured to change the users password into one that conforms to the organizations guidelines (for example, a password that changes every month or that meets a minimum length and a mix of alphanumeric characters). Users dont know what their new passwords are; they know only the passwords they use to access v-GO SSO. This means that when an authorized user leaves the company, a designated human resources person can simply revoke the persons v-GO SSO authorization to prevent further access to the organizations data. One of the drawbacks to v-GO SSO is that it works only with Windows machines, precluding its (effective) use at mixed-operating-system shops. The Neusine system, from Castle Systems Inc., is intended for use by organizations that need to meet Health Insurance Portability and Accountability Act requirements for auditing access to patient records and insurance information. Sutter Health is a user of the Neusine system. Neusine puts a new twist on an old technique. Using Neusines Java-based interface, users are authenticated when they move elements in a picture around the screen. The product first ensures that the objects are moved in the correct order and to the correct locations. The twist is that Neusine tracks users hesitations and habits as they move the objects on the screen. In principle, the method is similar to keyboard-cadence products. Neusine is also different from other identity management applications weve seen in that it is delivered as a service. Each completed authentication is charged a negotiated rate, usually some fraction of a cent for large-volume customers. Because any identity management system has ongoing maintenance costs, the pay-as-you-go scheme might turn out to be cost-effective for many high-volume users. A seat subscription for the Neusine system will cost about $10 to $12 per user per year. Although Neusine is targeted at the health care industry, there are no technical reasons why it couldnt be used in other industriesproviding a needed shake-up in the way people think of passwords.
One reason is that most enterprises, especially those formed from merged companies, often rely on different directories. Any IT manager who has lived through a directory implementation project knows that integrating an identity management system is not going to be easy. Just making sure that the directories contain consistent information about users is a huge chore.