And indeed, midsized organizations are signing on to these simpler options.
Unicco, for example, found IBM Tivoli Identity Manager far too complex, Jenkins says. "Setting up the rules would be a three-month engagement; it wouldn't get off the ground." But IBM Tivoli Manager Express, a more limited, prepackaged version, was "competitively priced" and easy to deploy; it offers templates to enable companies to set up user provisioning without having to go through a meta directory design process. "We set it up in five days, got some quick wins," Jenkins notes. "We'll modify it as we move forward and identify areas of opportunity."
For SSO, an appliance can be the way to go. Because of the product's speed of deployment, Edward Martinez, CIO at the H. Lee Moffitt Cancer Center & Research Institute, chose Imprivata Inc.'s SSO appliance to give doctors one login for as many as 10 systems. "It could be rolled out in a couple of weeks" instead of months, he says. "Other IAM products are good, but the cost and the implementation were mind-boggling." The product uses an application profile generator to automatically determine the procedure for logging into a particular application, eliminating the need for an IT person to create specialized scripts for each application.
Vendors are also fitting existing IAM platforms with ease-of-use features: templates, wizards, and knowledge-based tools designed to minimize the grunt work and complexity in setting up and maintaining such systems.
In September, for example, Courion announced a series of "jump-start options" designed to help customers quickly set up a basic provisioning workflow that provides access to AD, email and some core applications, according to Kurt Johnson, Courion's VP of corporate development. "You can get started on a specific pain point without doing a long, heavy consultative project," Johnson says. "We've seen a lot of interest in the midmarket." In addition, Courion's IAM suite uses pre-written "connectors" to pull in data from existing directories, eliminating the need for a meta directory, Johnson says.
A growing number of suites can be purchased a module at a time. Novell Inc.'s Identity Manager, for example, allows customers to start with a basic ID management package that includes a meta directory, identity integration, user provisioning and password synchronization. They can then add workflow-based provisioning and/or Web SSO capabilities as needed. Several vendors offer user-based as well as site-based pricing. For example, the basic package of Novell Identity Manager is available for approximately $18 a user, including discounts, Novell says. Adding Web SSO costs an additional $7 a user.
Meanwhile, midmarket companies that are mainly Microsoft shops have the option of building their IAM infrastructure around Microsoft products. Of 358 IT professionals responding to an April SearchSecurity.com survey on identity and access management, 85% say they use Microsoft products for directory services, group policy and provisioning. Nearly two-thirds say Microsoft is their primary vendor for this purpose. In addition, 73% say they use Microsoft products for authentication and authorization.
"As long as enterprises are willing to make Active Directory their central authentication service and rely on the access control infrastructure of the Windows server, fewer user IDs will be needed, and those that remain can be managed as an Active Directory account," says Gartner. In its 2006 Magic Quadrant report on user provisioning, the research firm notes, "Customers report that the software license fees and integration costs are so much lower than other [user-provisioning] product deployments, that it is worth the effort," even though Microsoft's IAM products tend to be less feature-rich than those of third parties. Microsoft partners like M-Tech Information Technology Inc. and BMC Software Inc. provide missing pieces like workflow and role management and connectors to non-Microsoft applications, Gartner notes.
This was first published in November 2006