Enterprise IT Identity & Access Management : 5. Reviews

Review - BMC Identity Management for .NET

Yale Li — Thu, 01 Jun 2006 22:00:00 GMT

BMC IdM for .NET offers a suite of solutions in .NET environment including workflow, directory management, audit, self service, password management, Web single sign-on, and federation.

Pros:

- Automated HR driven provisioning

- Role based access control

- Easy to navigate UI

- Connectivity Broker (web service) for seperation of duties and connect to either ADAM or AD

- Comprehensive audit and reporting for compliance

- MIIS integration for backend synchronization and provsioning engine

- Out of Box solution

Cons:

- price and time spent for the contract

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - MIIS SP2 Password Management Beta 1

Yale Li — Fri, 05 May 2006 10:00:00 GMT

A major new feature in MIIS SP2 is Q/A (question/answer) based password reset self service. The password management application has 4 UI compoments on top of MIIS SP2: User Registration, Password Self Reset, Password Helpdesk Reset, and Admin.

Pros:

- Easy intallation with msi package

- Flexible question configuration with admin defined or user defined questions

- Data is secured in storage and transmmition

- Minimal coding effort

- Can be used by both users and helpdesk

- No additional cost to MIIS

- Great value to reduce helpdesk password reset cost

Cons:

- Smart Card is not supported

Overall Rating:

7 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - Microsoft IAM Group Management Solution

Yale Li — Wed, 05 Apr 2006 10:00:00 GMT

One of group management solutions is part of Microsoft Identity and Access Management Series and you can download from: http://www.microsoft.com/downloads/details.aspx?FamilyId=794571E9-0926-4C59-BFA9-B4BFE54D8DD8&displaylang=en or http://www.microsoft.com/technet/security/topics/identitymanagement/idmanage/default.mspx?mfr=true

The group management is a subset of "Provisioning and Workflow" in the series. The code is written in Visual Basic. In my environment, I don't have Sun One and Lotus Domino. So I simply commented out several lines of provisioning code for Sun One Directory and Lotus mailbox, and re-compiled the solution. After installation and configuration on MIIS/SQL/IIS servers and in AD, I added more HR sample data, and defined several simple query groups and family of attribute groups through the Web UI. Then, I ran the supplied batch file which called Group Populator and MIIS 2003 run profiles. Finally, all groups showed up in AD and everything worked as claimed in the doc.

Although I like this "product", I ended up with own group management solution from scratch due to limitations explained in Cons.

Pros:

Excellent and easy to follow documentation to explain all aspects of requirements, architecture, design, implementation, setup and operations.
Good quality of code (I didn't encounter bugs/errors myself)
Nice preview feature for simple groups in Web UI
Logic builder in Web UI to create attribute groups
Source code provided for customization
Free of Charge

Cons:

It works for single forest only and there is no way to get around to support multi-forests through code change.
It doesn’t build hierarchical groups by default. This could be resolved by code change but it is not an easy task.

Overall Rating:

7 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - M-Tech ID-Sync

Yale Li — Sun, 26 Mar 2006 03:00:00 GMT

M-Tech has a suite of Identity Management products. ID-Sync is a user provisioning tool.

Pros:

- Built in workflow engine

- Integration with Microsoft MIIS

- Provided SAP MA

- Fast provisioning time

- Provision of non-HR identity data

- Reasonable cost

Cons:

- HR is not authoritative (it is one of targets, not a source in provisioning)

- Postphoned de-provisioning is in question

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - Microsoft CLM (Certificate Lifecycle Manager) Beta 1 (renamed from Alacris)

Yale Li — Tue, 21 Mar 2006 05:00:00 GMT

Don't let the word "Beta" fool you. CLM Beta 1 is actually renamed from the latest Alacris RTM version.

Pros:

- Turn key system and no coding is required

- Can manage both smart cards (including USB tokens) and certificates

- Feature rich self service Web UI

- Built-in work flow engine to handle approval and notification

- Flexable policies

- Temp smart card

- Easy installation

Cons:

- Does not format smart card

- In multiple forest environment, each forest needs its own CLM and SQL database.

- SQL 2005 is not supported.

- IE 7 is not supported

- Microsoft base CSP is not supported

- Granting permission is tedious work

(some will be supported in Beta 2 or RTM)

Overall Rating:

6 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - Quest ActiveRoles Server

Yale Li — Sun, 19 Mar 2006 04:00:00 GMT

Quest ActiveRoles Server enables automatic user/group provisioning and make entitlements management easier.

Pros:

- Rule based automatic provisioning

- Role based administration

- Easy to navigate UI

- AD focused but also handle Unix/Linux users/groups with Vintela Authentication Server

- Dynamic group support

- Fast provisioning time (instant - 10 min)

- Postphoned deprovisioning

- Comprehensive audit and reporting for compliance

- MIIS integration

- Multiple AD forests support

- minimal custom coding

(already considered good improvements coming in June version)

Cons:

- to be find out

Overall Rating:

9 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - Axalto .NET Smart Card

Yale Li — Sat, 18 Mar 2006 03:00:00 GMT

Axalto (Schlumberger) has developed the new .NET Card Technology to seamlessly integrate with current software such as Word, Exchange, Windows XP, Windows CE, and upcoming products based on the .Net technology. The technology contains a multi-application smart card framework, which enables loading applications developed in any language supported by the .NET framework of Visual Basic NET, C#, J#.

The Axalto .NET smart card (with 128KB memory) has card module software which supports the Microsoft Base CSP. Microsoft had developed a management tool called SDA (Smartcard Deployment Application) to manage the entire smartcard life cycle. SDA will be replaced by CLM (Certificate Lifecycle Manager) which is a Microsoft product with business acquisition of Alacris. A SDK is also provided to customize the smart card.

Pros:

- Larger memmory sixe

- Can combine smart card chip for logical access and RFID tag for physical access on the same badge.

- Easy applet development with .NET technology

- Strong authentication

Cons:

- Not supported by CLM Beta 1 (will be supported by CLM Beta 2)

Overall Rating:

8 out of 10

Review - RSA SecurID

Yale Li — Fri, 17 Mar 2006 03:00:00 GMT

SecurID for Windows fully integrates with Microsoft's Active Directory and enables domain-level access management along with new offline capabilities.

At backend, RSA ACE Sever is required. The client requires the RSA ACE/Agent installed. The SecurID generates one time pass code and user types in PIN and pass code to logon. The pass code is synchronized with the backend. The authentication protocol is Kerberos in Windows. Unlike the smart card, Microsoft Kerberos doesn’t have any extensions to support OTP logon. Therefore, RSA ACE replaces SecurID with the user’s password in the background for actual authentication.

Pros:

- Relative larger installation base in the world

- Support OWA

Cons:

- Can not combine logical access and physical access in the same badge

- The underlying managed password authentication is the foundation thus the security strength is not as high as smart card

Overall Rating:

7 out of 10

Review - Real User PassFace

Yale Li — Thu, 16 Mar 2006 03:00:00 GMT

Real User's Passface™ system is a cognometric method of personal authentication - based on the measurement of an innate cognitive function (of the human brain), specifically: its ability to recognize familiar faces. As with passwords and PINs (knowledge-factor authenticators), with Passfaces™ there is a shared secret between the user and the system. However, instead of relying on users to memorize and recall strings of characters and/or numbers, it employs (photographs of) faces as its "alphabet" and requires only familiarization and recognition on the part of the user.

Pros:

· Purely software based and no hardware is required

· Extremely low cost

Cons:

· Although used by US Congress, it is not a major industry standard

· It is a wrapper/hash on top of password authentication, not two factor

Overall Rating:

6 out of 10