One of the things I like about working with IBM software is you get to meet some really smart and talented people along the way. This first phase of our Identity and Access Management project is the architecture phase. Since we've never done anything like this before we commissioned Strategic Computer Solutions (SCS) to help guide our way to implementation. They in turn brought someone out from the Tivoli Software Group for the project and this guy really knows his stuff!
Ram Sreerangam pronounced "Rom Shri-rung-gum" flew into Buffalo from Boulder this past week to give us a hand architecting the ITIM and ITAM solution. Even though we've only just begun, it feels like we've made great progress already after talking to a number of application people and network people. At this stage of the game we're just getting the "lay of the land" really. So it sounds like we may have some capacity on our load balancing switches to help with clustering although we may still choose to purchase a separate device depending on how many ports we need and where in the network we need to locate the device. We were able to temper our expectations down to a smaller number of applications to start with as well which is really important for making the project manageable. When you protect an application with TAM it's important to remember that all users who use that application will be affected so trying to pilot this sort of thing with only a few users will require choosing an application that is only used by a few people. At first our thinking was we could get a whole bunch of applications and test with only a few people, but instead we must choose a few applications to start with and then add more applications as we go.
It looks like we will have to implement ITIM and ITAM together. Here's why:
Our production Portal is already using an existing LDAP (running Domino). There's about 30,000 users in that LDAP, but we intend to use TDS as the enterprise LDAP which will also be the TAM user store. Right now, all the users in the Domino LDAP use their Notes Internet Password for authentication into Portal. In the new enterprise directory we may not be storing this password (although maybe we will just to get people started). The main issue is that users will not have a way to administer their passwords without ITIM.
During some of our discussions with application people, we discovered that some of our applications are used by people outside of our usual security domain. Where it was thought that all the users of these applications were from our customers within our regional boundaries (and therefore our network) some applications are used by people outside of our normal boundaries (Internet). So these are candidates for Federation (FIM). We really did not want to deal with a FIM deployment at this time because it involves issues like the asserting party also having a federation product that we could work with. This really gets out of the scope of this project so we will either place those applications lower on the priority list for securing behind TAM and TIM or we may have to decide on a process for storing those Identities from the outside customers in our Enterprise Directory (TAM user store) which means we will have to maintain them.
Next week, Ram will be doing some documentation from Boulder and then he goes on vacation for 2 weeks. When he returns in January I hope to have already setup TAM in a test environment and hopefully documented some more applications for our data modeling effort.
It's also getting close to the time we will need to attend some classroom training for this stuff. Ram helped develop some of the IBM courses and he says the Labs are fantastic. I look forward to checking that out. For your reference:
Recommended roadmap for ITIM v4.6:
Classroom Training: Extending IBM Tivoli Identity Manager 4.6
Recommended roadmap for ITAM v6.0:
Classroom Training: IBM Tivoli Access Manager for e-business 6.0 Deployment and Administration
Classroom Training (optional): IBM Tivoli Access Manager for e-business 6.0 Customization