November 10, 2011

crookpatedspongySoftware and s/w Development

Dec 2, 2013 (3 years and 10 months ago)

83 views

Identity and Access Management

Decision, Analysis and Resolution (DAR) for an
enterprise wide identity and access management
program for Arizona Department of Education


Objective evaluation of multiple identity and access
management systems that are being used in the industry



November 10, 2011

ADE Needs


Situation


Open audit findings related to user access
security (Common Logon)


Highly manual and often inconsistent process
for user provisioning


The burden of complexity on IT, which must
manage identities across heterogeneous
systems


High help
-
desk costs associated with
password resets and
support.




Identity Challenges


Loss
of end
-
user productivity because users
cannot manage the routine aspects of their own
identity and
access


Lengthy development time for identity
management customization because existing
developer interfaces require specialized
knowledge


Security
gaps and risk to the business due to
noncompliance with internal and external
regulations

Maintenance Challenges


Managing identities across systems


Costly


Time
-
consuming


Costs and time grows exponentially as


Number
and types of users increase


Number of services and systems grow


Complexity of systems and applications
increase


Regulatory demands increase



Proposed Solution

Secure Remote
Access

Well
-
managed
Identity

SSO and Federation

Provide
well
-
managed, common
identity infrastructure

Enable interoperable access
across networks

Authentication and authorization







Built on Active Directory

Evaluation Approach

The team established guidelines to
determine which issues should be subjected
to a formal evaluation process, then applied
a formal evaluation process to these findings


establishing the criteria for evaluating alternatives


identifying alternative solutions


selecting methods for evaluating alternatives


evaluating the alternative solutions using established criteria and
methods


selecting recommended solutions from the alternatives based on the
evaluation criteria


System Criteria

Evaluation criteria provided the basis for
evaluating alternative solutions. The criteria
was ranked so the highest ranked criteria
exerted the most influence on the
evaluation.


Ability to integrate with current user base on
Active Directory


Flexibility and long
-
term support


Ease of deployment



Identity and Access Management tools


Three identity access management tools
were shortlisted to evaluate ADE needs


Microsoft Forefront Identity Manager (FIM)
2010


Computer Associates Identity Manager
(CAIM)


Oracle Identity Manager (OIM) 11g


Gartner Report


Gartner Research Report: 2010 magic
Quadrant for User Provisioning



Leaders


Oracle


CA Technologies


Challengers


Microsoft



Deployment


Microsoft FIM
is an Identity Management
system based
on
existing Microsoft software platform. It is
a
comprehensive solution for managing identities,
credentials, and identity
-
based access policies across
heterogeneous
environments.


Computer Associates Identity Manager
provides out
-
of
-
the
-
box connectors for Active Directory.


Oracle Identity Manager 11g
is a highly flexible and
scalable system built on Java EE architecture. It
leverages Oracle Metadata Services (MDS) for a
reduction in customizations and provides a simplified
development, configuration and deployment.


Integration with Active Directory


FIM

offers a fully integrated BI solution for
operational analytics and dashboard


CAIM

core competency is to integrate with
Active Directory


OIM

supports LDAP identity repository and
web services exist for Active Directory
integration


Flexibility


FIM

has an advantage of leveraging the
Microsoft stack of products


CAIM

is easily integrated with Microsoft
products


OIM

is built on open architecture to
integrate with existing software and
middleware

Road map


FIM

upgrades versions every 3.5
-
4
years, with service packs between
releases


CAIM

does not have a clear road map
for upgrades or long
-
term strategy


OIM

upgrades versions every 3
-
5 years,
with service pack between releases


Cost


FIM

is the least expensive at $ 4,319 server license cost
with unlimited external users


CA

Technologies proposed a suite of products to be
implemented over 2 years


$ 52.25 per user license costs based on 4,000 users
for $209,000 total


CA installation costs of $ 624,000 (recommended)


$ 41,800 Annual maintenance starting year 3


Oracle IM
suite is a total licensing cost of $326,600


Internal User license $ 95 each (minimum of 2,000)


External User license $ 12 each (minimum of 5,000)


Processor licensing
-

$ 85,800 each (2 required)


Maintenance


All the Enterprise Resource Planning
(ERP) systems have an annual software
maintenance fees in the range of 18
-
25%
of its original software costs


Annual maintenance covers software
updates as well as new version releases


Maintenance is included in the forecast for
next seven to ten years of a typical
software life cycle

Resolution


FIM

is the best option for ADE. It has a
defined road map as well as excellent
interface to the Microsoft software platform.
It is the most cost effective product.


CAIM

has fewer features and is the most
basic system reviewed.


OIM

is a strong product, but not as easily
integrated into a Microsoft based
environment. The overall licensing, support,
and integration cost for Oracle make this the
most expensive product reviewed.



Score (1
-
5)





Weighting

FIM

Weighted
Score

CA

Weighted
Score

Oracle

Weighted
Score



Decision Support

Comments

Integration

5

5

25

3

15

2

10

How well will it fit into our current environment?

Flexibility

5

4

20

3

15

5

25

Scalability and functionality.

Deployment

4

4

16

3

12

3

12

How quickly and easily can we deploy?

Road Map

4

4

16

3

12

4

16

Future enhancements and product updates.

TOTAL

18

TOTAL

77

TOTAL

54

TOTAL

63



Costs

















Pricing/hours

4

5

20

2

8

3

12

Pricing base on per user license and module
cost, if applicable

TOTAL

4

TOTAL

20

TOTAL

8

TOTAL

12



Resource / Skill Set Availability



Technical
expertise

5

4

20

3

15

2

10

Resource availability (Local vs. Non
-
local)

TOTAL

5

TOTAL

20

TOTAL

15

TOTAL

10





















Suitability Rating





117



77



85

Ranking





1



3



2



* Supporting Documentation
located on Team SharePoint site

Weighted Criteria Matrix

FIM Solution


Key Benefits


Empowers people to accomplish self
-
service
identity tasks


Delivers
agility through automation, self
-
service, and
extensibility


Increases security with management across
identities, credentials, and
resources


Introduces
"codeless provisioning
“, allowing
changes to be rapidly implemented without
reprogramming
solutions


Recommendation

Base on the Assessment Matrix, Microsoft FIM is
the recommended solution for ADE Identity and
Access Management solution.


Microsoft FIM
would provide the core applications needed as
well as strong interface into the other Microsoft products
currently used in the Department. The overall licensing and
implementation costs are also the lowest.


CAIM

would more easily fit into our environment, but it has fewer
features at a significantly higher cost that the other products.


Oracle IM

would provide a suitable core application, but would require
significant integration for network services and have high impact to the
current environment. The Department does not have the resource skill
set and a new team would need to be engaged for deployment and on
-
going support.