Wednesday, November 1, 2006

Identity Management as a service

Interesting conversations today with our senior tech staff and network experts. Since we are an Internet and application services provider one of the questions that have been on our minds for some time now is; Can we provide identity and access management to our customers using the Tivoli Security software and if so when and how?

We heard from a few people who conveyed a few different problems that we need to deal with.

1.) Users at our customer sites need to log-on to secure wireless networks. For the last few years as wireless networks were initially deployed at these sites there was little to no security. Accessing the network was wide open in many cases. Since then there have been steps to require authentication to access the network. This has been done by having our Nortel equipment authenticate the users via a Radius server which in turn uses an LDAP at the local site. Customers quickly saw a problem with requiring log-on first to the network and then a second time to the local file a print systems (AD or Novell). To solve this the customer sites are implementing SSO solutions so that when a user logs on to the network they are automatically authenticated to the local file and print system as well. Problem is that some systems like Novell require the purchase of Identity Management software since they do not expose their system to integrate with any other SSO solutions.

2.) In some cases customers have already deployed Identity Management solutions to achieve local goals. One driving force is the synchronization of identities, demographic information, etc.... In building our central Identity Management system using Tivoli software we will obviously incur software licensing costs for each managed user internal or external even though those customers may already be paying for an Identity Management system locally.

So problem 1 above is really an access control issue more than an Identity Management issue, however in some cases (Novell for one) customers may find that the only way to solve it is by purchasing Identity Management just to use the specific feature they want to solve the problem.

Problem 2 could be solved if we fast track an Identity and Access Management solution in a model that will solve the problems at customer sites. This would likely result in lower costs for Identity and Access Management in the long run, however this is probably not feasible if customers are looking for solutions today. As it is our pilot project including 7 customer organizations only addresses provisioning users to our own web based applications surfaced via WebSphere Portal. Currently none of the customer located IT systems are in the scope of the current pilot. The architecture project for the pilot is scheduled to occur starting in December 07 so it seems that it could be a while before we are ready to offer Identity Management solutions to customers.

So can we architect our ITIM solution to provide Identity Management to our customers? I understand that in ITIM there is the concept of a multi-tenant configuration which implies that you might have multiple organizations possibly in one ITIM. I thought I heard that IBM was trying to move away from that, however I could be mistaken. This sounds like the approach we may want to take. Our organization as it is sort of is an org within an org with the IT division being one of those orgs. So we could do something like:

->IT Org
->Our Org
->Customer Org1
->Customer Org2
->Customer Org3

I imagine that we could contain all managed users within the appropriate org container and at first the managed resources would be only those that we desire to deal with from our IT Org's perspective. When we are ready, then we could potentially add managed resources at customer sites into the ITIM as needed.

I think some other things we need to consider is what's between the ITIM and the managed resources. Our customer sites are primarily located on our broadband network so there is good capacity between our data center and the customer sites. However, there is the possibility that something breaks that connection and then the managed resources are not accessible from the ITIM. Maybe this is more of a problem for the access control solution than the Identity Management solution.

1 comment:

Anonymous said...

I have one question, pleacement rules and the Org Model Ext. ContainerSearch().

I've tried using the javascript in the placement rule of ITIM 5.1 and that failes, added the ModelExt to the scriptExt.props and still no luck

I'm now trying it on the workflow. it's working but my problem is how do I assign the ou value to the person? because person.setProperty("erparent",orgUnit) is not placing the person on the correct ou.