Courion Corp.s Enterprise Provisioning Suite 7.2 allows IT managers at midsize and large organizations to effectively manage user access while meeting internal and external auditors demands for an accurate accounting of who is using company systems and data.
Click here to read the full review of Courion Enterprise Provisioning Suite 7.2.
2
Courion Corp.s Enterprise Provisioning Suite 7.2 allows IT managers at midsize and large organizations to effectively manage user access while meeting internal and external auditors demands for an accurate accounting of who is using company systems and data.
eWEEK Labs implemented Courions behemoth suite of tools, including AccountCourier for user provisioning, PasswordCourier for password management, and ComplianceCourier for access verification and policy management.
Our tests show that the workflow in Enterprise Provisioning Suite 7.2, which was released in June, makes it much easier than in previous versions of the product for non-IT staff to manage user accounts.
With the ComplianceCourier component, Courions Enterprise Provisioning Suite costs $400,000 to outfit 5,000 users—or about $80 per seat. Without ComplianceCourier, the price drops to $300,000, but the policy management component is necessary for many of the sophisticated policies we implemented in tests.
Enterprise Provisioning Suite worked well in our tests, but, like other password management products, it required extensive upfront work. Over time, however, this effort should result in significantly fewer staff hours devoted to generating and maintaining access credentials, reduced error rates, increased assurance that managers are provisioning employees with the least privilege needed to perform their jobs, and easier compliance with regulatory audits.
The actual installation of Enterprise Provisioning Suite was relatively easy; the biggest time sink during our tests was in developing and implementing policies to ensure that users received access to appropriate systems. More than once we had to go back to the role-based AccountCourier and tweak policies to grant or deny access to corporate data systems.
In fact, IT managers should expect the Enterprise Provisioning Suite pilot phase to last several months.
In addition to initial training on the nuts and bolts of how Enterprise Provisioning Suite works, we spent a significant amount of testing time connecting AccountCourier to various infrastructure components, including Microsoft Corp.s Active Directory, Computer Associates International Inc.s eTrust Directory and Novell Inc.s eDirectory. We ran the suite on Windows 2000 running on a Xeon-based IBM eServer 325.
We used Courions Identity Link technology to connect our various directory repositories. We were able to pull user data from all these directories and then designate one—in our case, an eTrust Directory—as the authoritative source for users and accounts.
We also were able to create a definitive list of all users and accounts we had created, regardless of the data repository.
Identity Link comes in especially handy for dealing with territorial department managers who tend to get nervous about incorporating data in a central location. During tests, we were able to leave data in the hands of local administrators while using Identity Link to ensure that all user accounts were up-to-date.
eWEEK Labs also stole a trick from case-study subject SunTrust Banks Inc., which uses Courion identity management and provisioning tools: While leaving user data with local applications, we linked our network access list with AccountCourier so that all account access was denied when a user was terminated in our test environment. Thus, even users who were not provisioned with Enterprise Provisioning Suite—nearly all the accounts in our test environment—were ultimately brought under control of the product.
As an added benefit of this process, we were able to get good audit reports that systematically showed that terminated users were indeed denied access to various corporate data systems, regardless of whether their individual accounts were removed from the application.
Next page: Evaluation Shortlist: Related Products.
Page 3
EVALUATION SHORTLIST
Computer Associates International Inc.s eTrust Single Sign-On Works nicely with CAs eTrust Directory but could use a stronger workflow interface (www.ca.com)
Novell Inc.s Nsure Identity Manager 2 A good alternative if your organization has deployed eDirectory, which can run as part of the product (www.novell.com)
Passlogix Inc.s v-Go v-Gos strong suit is its ease of use, and it has very good single- sign-on capabilities (www.passlogix.com)
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.