Identity management has been a sort of fuzzy term encompassing a lot of different functionality. We have seen this in the past, and this year the picture is not much different. That said, the functionality that ID management products include has been increasing, and a picture may be emerging that illustrates what really is meant by the term identity management.
This month, we saw products ranging from simple single sign-on to full-featured appliances that cover all of the functionality currently thought of as required for a solid ID management product. However, the down side is that the nature of the functionality still seems loosely defined. For example, some products included provisioning, single sign-on and authentication, while others added session managers and a shared account manager.
In 2007, Gartner's Ant Allan grouped ID management into directory technologies, ID administration, ID auditing, ID verification and access management. These systems, according to Allan, must exhibit administration, authentication, authorization and auditing functionality.
The question, then, is what really is required in an ID management system? Certainly, provisioning is a must. Especially in a large enterprise, provisioning can be a real challenge done manually. For example. single sign-on has become de rigueur. Remember when the pundits said that SSO was not practical? All sorts of solutions to the problem were proposed, with few being particularly successful. Today, all that has changed. Lack of SSO weakens an ID management product that claims to be full-featured.
As with any product, one really needs to do a thorough analysis of requirements. That may include determining what products are used currently that might need to integrate with the ID management system. Certainly, it is useful to compare Allan's groupings and recommended functionality with your product choice. Understand how you are managing identities and access control now. Are there solid policies and procedures in place that you will need to automate without losing functionality? Or, perhaps, are your policies and procedures a bit immature and less than robust? That, potentially, can be a blessing in disguise because you can build appropriate policies and procedures that fit nicely with one or more products that are under consideration.
Once you understand the environment in which you will implement ID management, ask the really tough question: do you need to automate ID management at all? All of the products we looked at require some dedication to their implementation. So, if you don't need the functionality, don't cause yourself the pain associated with building a system you could do without.
Some of the indicators that you need to consider for ID management include size of the organization, geographic dispersal, and the number of applications or systems to which your users need access. If the nature of that access is disparate (i.e., not everyone has the same access needs), you may be a candidate for an ID management system. Wide geographic dispersal and large size also are indicators. If you are a multinational organization, make sure that there are no restrictions in host countries against the type of implementation you envision.
If you only need some of the functionality of a full-featured implementation, look closely at some of the software product suites. These have lots of functionality in discrete modules, and can be real bargains if you don't need the whole enchilada. On the other hand, if you are starting from scratch and you have the flexibility to build your policies and procedures around a product, you may want to look at a full-featured appliance. Don't discount the software suites, though. They are increasingly complete and offer lots of flexibility.
This was a straightforward month in the lab. We focused on ease of implementation and administration, because in large enterprises these two features offer the greatest challenges. User provisioning was very important as well, because the closer one can get to self-provisioning, the easier the overall management of the system becomes.
A final word regarding value for money. We saw products priced all over the map. At the end of the day, we were concerned about overall cost of ownership throughout the identity management lifecycle. That meant that pure cost of products was only one factor in determining value.