A bevy of single-purpose single-sign-on products, biometric devices and integrated identity management frameworks promise reduced operational costs through streamlined user-rights provisioning. However, not much has been done to improve these systems reputations for being difficult to implement, so government regulation is still the biggest driver for deployment.
eWEEK Labs has found that most of the products on the market today will help IT managers control access to sensitive data. However, organizations that dont have at least a winnowed-down enterprise directory and a stable, well-understood set of applications should put identity management on hold for now.
The good news for IT managers who do face regulatory obligation is that most of the products we looked at will help smooth the way to provisioning identity management and single sign-on. However, long-term savings will remain elusive until the underlying directory mishmash is unified.
The identity management tools we looked at for this report are oriented almost exclusively toward human beings. In the coming year, Web services—and the need to authenticate and authorize other computers along with applications and services running in the network—will force a paradigm shift to encompass any computing resource. New specifications from technical committees at the Organization for the Advancement of Structured Information Standards, or OASIS, should therefore be on IT managers radars. (Go to www.oasis-open.org/committees/wss/#announcements for more information.)
The Human Touch
The Human Touch
Despite impressive progress in the identity management field, it remains hampered by long-standing bugaboos.
First, there is still a tremendous amount of human touch that is required to set up and maintain these systems. Second, while some products come close to recognizing all applications access methods (Passlogix Inc.s v-GO SSO, for example), most enterprise users will encounter at least one application that requires significant custom coding to work with the identity management system.
Once users are logged in, a host of tricky problems remain. And the severity of these problems will depend in large part on an organizations industry.
In an interview with eWEEK, Nelson Ramos, vice president and regional CIO of Sutter Health, in Modesto, Calif., and an eWEEK Corporate Partner, pointed out that many medical applications automatically time out after a short period of inactivity. “Once the user is logged in, we still need some way to signal activity—maybe caching a mouse movement and replaying it every couple of minutes to keep the application session active,” said Ramos.
Medical settings, in fact, may put identity management to its most difficult test. At the end of the day, most other industries are not dealing with life-and-death decisions. In a hospital, if a doctor needs lab results but cannot remember his or her password to gain access to the system, the results can be catastrophic.
A health care setting also presents big challenges to the common user name/password method of authentication as well as to more rigorous methods that use multiple factors to confirm identity, such as biometrics or physical tokens. Relying on a thumbprint, for example, is difficult at best in an environment where most employees wear gloves. Badges and other tokens take a beating when they need to be used in sterile environments. Furthermore, radiology departments often have special requirements that restrict either metal or magnetic devices.
Health care organizations may present some of the biggest challenges to identity management, but every organization has its hurdles. In any business, for example, where personnel commonly share workstations and move around inside buildings, authentication methods must move with employees and cannot be tied to a single computer. IT managers need to consider these kinds of business requirements when planning an identity management system.
Directories a Challenge
Directories a Challenge
Novell Inc.s Nsure requires that the companys eDirectory be installed on, at least, the central console. IBMs Tivoli identity and access management platform can work with a wide variety of directory services, and Computer Associates International Inc.s eTrust family can also use various directories. But the fact remains that integrating any of these identity management frameworks is no small task.
One reason is that most enterprises, especially those formed from merged companies, often rely on different directories. Any IT manager who has lived through a directory implementation project knows that integrating an identity management system is not going to be easy. Just making sure that the directories contain consistent information about users is a huge chore.
IT managers should evaluate the time it takes to do adds, moves and changes to the directory to set a base line for the potential return on investment of identity management tools.
Another factor to consider in calculating ROI is the cost to reset a forgotten password. A common figure bandied about is $45 per lost password. Organizations can determine this figure by basing it on the wages of the locked-out user and the help desk staffer, plus lost productivity, plus the cost of a help desk transaction. Get a report from the help desk on the number of password reset calls handled per year to figure the total cost per year.
However, the cost of an identity management system does not relate solely to the cost of password recovery. All the systems eWEEK Labs evaluated for this report also help manage the removal of an authorized user, a process that is often time-consuming and prone to error. The user provisioning tools we analyzed should significantly reduce the amount of handwork and, consequently, the error rate of this process.
We began our identity management evaluation by looking at products that were the quickest to implement—the point solutions that handle only password management.
Passlogixs $69-per-seat v-GO SSO is a single-sign-on product that is preconfigured to work with most common applications. v-GO SSO monitors user log-on activity, then takes over the process. At the same time, the product can be configured to change the users password into one that conforms to the organizations guidelines (for example, a password that changes every month or that meets a minimum length and a mix of alphanumeric characters).
Users dont know what their new passwords are; they know only the passwords they use to access v-GO SSO. This means that when an authorized user leaves the company, a designated human resources person can simply revoke the persons v-GO SSO authorization to prevent further access to the organizations data.
One of the drawbacks to v-GO SSO is that it works only with Windows machines, precluding its (effective) use at mixed-operating-system shops.
The Neusine system, from Castle Systems Inc., is intended for use by organizations that need to meet Health Insurance Portability and Accountability Act requirements for auditing access to patient records and insurance information. Sutter Health is a user of the Neusine system.
Neusine puts a new twist on an old technique. Using Neusines Java-based interface, users are authenticated when they move elements in a picture around the screen. The product first ensures that the objects are moved in the correct order and to the correct locations. The twist is that Neusine tracks users hesitations and habits as they move the objects on the screen. In principle, the method is similar to keyboard-cadence products.
Neusine is also different from other identity management applications weve seen in that it is delivered as a service. Each completed authentication is charged a negotiated rate, usually some fraction of a cent for large-volume customers. Because any identity management system has ongoing maintenance costs, the pay-as-you-go scheme might turn out to be cost-effective for many high-volume users. A seat subscription for the Neusine system will cost about $10 to $12 per user per year.
Although Neusine is targeted at the health care industry, there are no technical reasons why it couldnt be used in other industries—providing a needed shake-up in the way people think of passwords.
IBMs Tivoli Identity Manager and Tivoli Access Manager, Novells Nsure family, and CAs eTrust Identity Management and eTrust Access Management are designed to integrate user authentication and authorization into the broader arena of user provisioning.
These user management frameworks are appropriate for organizations that have a good user provisioning system in place and work best in large-scale, heavily regimented environments.
In fact, the more rule-bound and process-intensive an organization, the better—these products can eat bureaucracy for breakfast and spit out almost completely automatic user setups by afternoon. However, the frameworks wont do much for organizations that have confused or poorly outlined user provisioning guidelines.
Nsure comes with a license for Novells eDirectory, which is required for the various components of this wide-ranging user provisioning family to work. Novell has gone out of its way to leverage eDirectory, providing some pretty impressive user automation capabilities.
IBMs Tivoli Identity Manager and Tivoli Access Manager work together to provide authentication and access control services for large enterprise networks. The IBM platform goes head-to-head with Novell by incorporating not only a wide range of applications for which it can provide access control but also a variety of directory products.
Because both the IBM and Novell platforms can be integrated with a number of different authentication devices, the real differentiator between the two is how well they can be integrated into an organizations existing environment.
CAs eTrust family of products takes an incremental approach to identity management.
Architecturally, eTrust Identity Manager and eTrust Access Manager are similar to the IBM Tivoli platform in that both support a wide range of enterprise applications. Both platforms also support a number of directory implementations, so IT managers should be able to implement them without disturbing established infrastructure.
One advantage IT managers may find with CA is an ability to implement single-sign-on, user self-service and other user provisioning modules as needed and as the products prove their ability to reduce administrative costs. This is a pleasant departure from CAs all-or-nothing approach to IT management in the late 1990s.
Now, CA components will likely provide IT managers with the breathing room they need to meet regulatory deadlines without having to hire a fleet of consultants.
Senior Analyst Cameron Sturdevant can be contacted at [email protected]
Can I see some
Can I see some ID?
Questions to ask when considering an identity management system.
- Is software required on the client system? Try to avoid systems that require client software. If client software cant be avoided, make sure the client update mechanism will work with your organizations software distribution system. Dont have a software distribution system, either? Then the organization isnt ready for single sign-on.
- Does the platform allow self-service password reset? Weight self-service heavily in your list of requirements. If an administrator has to get involved in password reset, a big chunk of ROI just flew out the window.
- Does the system integrate with a directory already in use at the organization? Score! If not, be ready to work through a directory implementation project before starting on the identity management system.
- How are user rights revoked? The ability to effectively block former users from the system without destroying the record of their authorized use is crucial.