Identity management is the bane of many an IT administrator's existence. Employees come and go. Workers from partner companies require access to the network in a time-limited but secure way. Users forget their passwords and lose their smartcards. And new services come online all the time. It's a wonder anyone can get anything done.
There have been tools available for a while that purport to manage the total life cycle of user identity -- from hiring and first authorization to use of new applications until suspension, termination or separation -- all from one system. Microsoft's entry into this market, Forefront Identity Manager 2010, shows itself as a capable product with a few drawbacks.
Forefront Identity Manager 2010, or FIM, relies on a couple of features to differentiate itself from competitors: It gives users the ability to perform a variety of tasks themselves via self-service Web portals, and it's compatible with existing Web standards, enabling it to work with just about any other system.
How we tested I reviewed FIM in a Hyper-V virtual environment with two Active Directory domain controllers, an Exchange machine and FIM 2010 servers in two different Windows domains. All of this was housed on a single Dell rack-mounted server. While this is clearly not a production setup, it was a useful testbed for ensuring that FIM worked as advertised. In addition, over the course of 2010, I had the opportunity to deploy FIM in a production environment with a business-services firm that has four heterogeneous systems and more than 2,500 users. I found that my experiences with the client deployment and the tests in my lab environment were very similar.
Users can, for example, change their passwords on a variety of systems through native Windows tools like the log-on prompt. They can also manage group memberships easily through an intranet-based website that supports restricted group memberships and the approval workflows required.
Behind the scenes, FIM takes care of managing encrypted properties like certificates, smartcards, security life cycles and compliance, while wrapping it up in a nice bow with a good, logically arranged administrative user interface.
Policy management FIM's view of identity management is that employees, their roles and their eventual authorizations and authentication should all fall under the purview of policies. Administrators familiar with Group Policy in Windows will find this metaphor holds well. These policies consist of rules that you, as the administrator, can create to dictate what happens when certain actions take place.
For example, a new-hire rule will create a user account and place him or her into appropriate groups based on date of hire, job position, work location and other factors. The same rule will query and direct the payroll system, via Web services, to add the requisite user information and will interface with the building security system to add the user's smartcard certificate to allow access to the building. Finally, the rule will generate a message to human resources to create a new-hire packet and send it to the new user.
Identity management You can imagine similar policies for, say, maternity leave, where, for a defined period of time, a user's building access would be suspended, her e-mail would be redirected, and pay and other HR policies would be modified as necessary and so on. But perhaps most important for security is the ability to manage separations from the company -- turning off access, removing users from security groups and cleanly and tidily processing financial matters.
Policies within FIM can dictate the actions that happen when any of these events -- or any other event that you define -- occur.
These policies that you define are kicked off and then subsequently managed by the Windows Workflow Foundation, or WF (part of the .Net Framework 3.5). WF provides a powerful base for all sorts of interesting and complex workflows, with nesting, conditions and multiple branches. If your group has already invested in creating rules via WF, you can very simply import them into FIM and use and further customize them from within FIM, saving you from reinvesting the time necessary to create the workflows again in a different tool. If you have a proficient developer staff, you can also create workflows in Visual Studio and export them for use within FIM.
Data synchronization The core of any identity management product, FIM included, is the ability to keep multiple systems --often on different platforms, from different vendors, with different databases -- synchronized as often as possible. The goal is for changes initiated by any system to be replicated accurately and efficiently up and down the chain of related systems.
FIM's predecessor, Microsoft Identity Lifecycle Manager 2007, did a pretty good job of handling such synchronization among Microsoft products. FIM 2010 goes a step further and offers help with making sure databases like Novell eDirectory, Sun Directory Server, Lotus Notes, SQL Server, Oracle, Exchange, Active Directory, SAP and any other database or flat-file systems are updated via policies and workflows.
FIM's core, a synchronization service, manages the data coming into and out of FIM and handles communicating with the target systems -- and in most cases it does so using standards or direct API support with each system. In other words, no messy agents need run on most of these systems.
What's nice about this level of integration and synchronization is that changes made not only in FIM but in other systems individually are automatically replicated back to all other systems of which FIM is aware. So if you change a password directly in Active Directory, FIM will pick that up very soon afterward -- the precise amount of time is a function of link speeds, the systems involved and other factors, but we're talking a matter of minutes -- and distribute that information to, say, SAP. Likewise, if you remove a user from your business intelligence system, you can configure FIM so that when it detects that a user has been deleted, it will then remove the user from all of the other appropriate systems at the time of the next synchronization.
This way, all of the places where identities live (and die) are kept up to date and fresh.
All of these synchronization actions can be gated via the workflow system so that administrators or other designated personnel have to approve changes before they are sequenced throughout your organization -- most helpful for creating and deleting users, but also helpful depending on the sensitivity of the systems in your network.
Alongside the synchronization service, FIM excels at managing smartcards and certificates and at enhancing and automating the user-provisioning process. FIM can handle the creation and expiration of user certificates stored both on a system and on a physical smartcard and takes care of the provisioning and decommissioning of these tools. Since FIM rides on top of Windows' Active Directory Certificate Services, your administrators' expertise and familiarity with standard features of Windows Server will pay off here as well.
User self-service One of the big points of emphasis in FIM 2010 is the delegation of simple administrative tasks to users themselves. From resetting passwords to managing distribution groups, FIM's We- portal makes it reasonably simple for users to manage their group memberships, profile information (like addresses and office and mobile phone numbers, for example) and passwords themselves, without involving a help desk call.
For distribution group management, users can even subscribe to or delete themselves from groups from within their Outlook mail client, right where they're most likely to receive the mail they want to opt out from. Considering the fact that popular statistics put the cost of help-desk assistance at many tens of dollars to more than $100 per call, empowering your end users to do things themselves only helps.
Additionally, FIM will let users reset their passwords from GINA -- the traditional Windows log-on screen. This process is gated so that users have a challenge/response-type authentication mechanism, establishing reasonable security questions that add some tightness to the password-reset process.
Drawbacks While FIM works as advertised, to be frank the largest drawback is its pricing: It's stratospheric. According to Microsoft, FIM 2010 is licensed on both (as in, simultaneously -- you can't choose one or the other) a per-server and per-user Client Access License (CAL) basis. FIM 2010 has a list price of $15,000 per server and $18 per user CAL. Additionally, FIM is available only through volume licensing programs.
At the lowest levels of compliance with those terms, you need a server license for each server on which FIM components are installed, which gives you the right to use FIM server software; a CAL for each user for whom the software issues or manages identity information, and a CAL for each administrator using FIM management capabilities. Not easy on the budget.
On a more minor basis, the product is not well documented either -- outside of the in-product help, there isn't a lot of support on the Microsoft website. There is a big FIM user community, however, and it isn't hard to find consultants with deployment and implementation expertise.
Wrapping up FIM 2010 offers enterprises the ability to do something elusive: To control, in an automated way, all of the users, and their identities, that come into an organization and to manage their life cycles, from creation to daily duty to separation. Given the increased emphasis on compliance, closing security loopholes and identifying areas in which manual processes aren't keeping up, FIM 2010 certainly provides a compelling, if very expensive, solution for managing those "who's" and making sure they're on -- or off -- systems as they should be.