Agenda

1. IDM vs MIIS.The past, present, futures and direct comparisons of Identity Management from both Provo and Richmond Martin Bradburn Associated Network Solutions Plc

2. Agenda • Why Identity Management ? • Novell’s IDM3 – an overview • Microsoft’s MIIS – an overview • Knock for knock • The future • Q&A - please

4. 1 2 3 Maximise All Your Assets Reduce Costs Ensure Security and Compliance Priorities today …across all systems and platforms

5. Auditing & Compliance Compliance initiatives, such as Sarbanes-Oxley, FSA and Law Society occupy centre stage in IT and security projects. Sarbanes-Oxleyrequires focus on making sure that they are reporting accurate information and that they know where it is coming from. The results of the IT auditing teams are bubbling up to the boardroom — and they can be pretty ugly…

6. User-provisioning implementations are growing in number and complexity, largely because of regulatory pressures. Gartner estimates that there are approximately 1,200 production deployments that are significant: These implementations are enterprise wide, and they use multiple connectors, workflow and approval processing. Implementations of smaller workforce count are new, most within the past 12 months, as they too feel regulatory compliance pressures.

7. Complexity

8. Actual View of Novell before “Zero Day Start”

9. So, why are we all in this mess ? Organisations expand – recruitment & acquisitions Employees need access to many applications & resources Managing resource access tends to be carried out on a system-by-system approach. On average this means that each user has 8–12 identities. A field of disparate and complex systems…

10. Novell’s IDM3 – an overview

11. End-User Features • User Application • Approval Workflow system • Self-service resource request • Roles and function delegation • Delegation of admin duties • Enhanced White Pages • Enhanced Org Chart • User Search Application • Self-service Password Management tools • Lightweight User Admin tools Admin/System Features • Identity Manager metadirectory engine & connectivity • Eclipse-based Configuration • iManager-based Administration • Advanced provisioning reporting using Novell Audit • Enhanced performance, scalability and stability Novell IDM3 Major Components

12. Novell Identity Manager 3 Novell Identity Manager 3 delivers: • Automated User Provisioning • Self-service Password Management • Secure Logging, Auditing and Reporting Across platforms: Linux, Windows, Solaris, HP-UX, AIX & NetWare

13. Integrated Approval Workflow Enhanced Identity Applications Attractive, flexible User Application Designer for Identity Manager Enhanced Scalability and Data Security IDM3 - Top 5 Innovations

14. Integrated Approval Workflow User application showing approval task in-box. Full-featured workflow capabilities, including: • Role, group or individual assignments • Delegation and proxy functions • Expiration tracking with escalation policies • Self-service provisioning • No coding required (Java, script, XML, etc.)

15. User checking status of a prior workflow request User application showing approval task in-box. Full-featured workflow capabilities, including: • Role, group or individual assignments • Delegation and proxy functions • Expiration tracking with escalation policies • Self-service provisioning • No coding required (Java, script, XML, etc.)

16. End User View Advanced identity applications unlock greater value from the identity data. • Powerful organisational charting & white/yellow pages • Self-service password management • Delegated administration for team leaders

17. Views of User Workflow requests

18. Views of User Search and List Advanced identity applications unlock greater value from the identity data. • Powerful organisational charting & white/yellow pages • Self-service password management • Delegated administration for team leaders

19. Views of User Search and List Advanced identity applications unlock greater value from the identity data. • Powerful organisational charting & white/yellow pages • Self-service password management • Delegated administration for team leaders

20. Administrator View Full-featured Administration Console. • Monitoring, reporting & auditing features • Integrated into the common Administration fabric • Separate from tools for Architecture/ Deployment

21. Designer for Identity Manager Architect View A powerful visual toolkit for designing the identity environment. • Graphically configure complex systems • Model “What If” scenarios • Automatically generate documentation • Leverage re-usable configurations to reduce deployment time

22. Connectible Application Space

23. database IBM DB2 Informix Microsoft SQL Server MySQL Oracle Sybase JDBC directories Critical Path InJoin Directory IBM Directory Server (SecureWay) iPlanet Directory Server Microsoft Active Directory Microsoft Windows NT Domains Netscape Directory Server NIS NIS + Novell NDS Novell eDirectory Oracle Internet Directory Sun ONE Directory Server LDAP email systems Microsoft Exchange 2000, 2003 Microsoft Exchange 5.5 Novell GroupWise Lotus Notes enterprise applications Baan J.D.Edwards Lawson Oracle Peoplesoft SAP HR SAP R/3 4.6 and SAP Enterprise Systems (BASIS) SAP Web Application Server (Web AS) 6.20 Siebel enterprise message bus BEA IBM Websphere MQ Open JMS Oracle JBOSS Sun TIBCO mainframe RACF ACF2 Top Secret midrange OS/400 (AS/400) operating systems Microsoft Windows NT 4.0 Microsoft Windows 2000, 2003 SUSE LINUX Debian Linux FreeBSD Red Hat AS and ES Red Hat Linux HP-UX IBM AIX Solaris UNIX Files - /etc/passwd other Delimited Text Remedy (for Help Desk) SOAP DSML SPML Schools Interoperability Framework (SIF) pbx Avaya PBX *NOTE: Identity Manager customers have integrated numerous other systems utilizing general purpose Identity Manager drivers such as JDBC, Delimited Text, or LDAP Identity Manager Connected Systems

24. Microsoft’s MIIS – an overview

25. Synchronisation Engine Synchronising into ever increasing number of systems – no longer just MS ones Automated provisioning Centralised Identity Store Password Management (SP1) Integrated into Windows front end Microsoft MIIS Major Components

26. Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data • Authentication • Authorization • Identity Data MIIS – Identity ScenariosIntegration as foundation for IM services HR System Contractor System “Enterprise Directory” Lotus Notes Apps Identity Integration Infra Application COTS Application • Authentication • Authorization In-House Application • Identity Data In-House Application Rock solid software to integrate identity

27. MIIS Architecture Key: MA= Management Agent CS= Connector Space MS SQL2000 based datastore

28. MIIS Designer

29. Active Directory Active Directory Application Mode Exchange 2000 and 2003 Global Address List synchronisation Sun One Directory (formerly iPlanet) 4.x and 5.0 SQL Server 7.0 and 2000 Oracle 8i and 9i DSML 2.0 LDAP Directory Interchange Format (LDIF) Delimited Text Fixed-Width Text Attribute-Value Pair Text Windows NT 4.0 Exchange 5.5 Lotus Notes 5.0 Novell eDirectory 8.62 and 8.7 RACF – Shipped Summer ‘05 SAP (Beta) Other mainframe and ERP systems to follow Connectivity in MIIS 2003, Enterprise Edition SP1

30. Knock for Knock

31. Movement from last year’s meta directory magic quadrant Gartner’s meta directory Magic Quadrant “We continue to view IDM as market leading technology” —Gartner

32. Gartner’s User Provisioning Magic Quadrant

33. Challenger Definition Challengers have solid products that address the typical needs of the User-provisioning market, with strong sales, visibility and clout that add up to higher execution than niche players. Many clients consider challengers to be the conservative safe alternative to niche players. Challengers in this Magic Quadrant have strong product capabilities, but they have fewer production deployments than the leaders. Their business model, overall product strength, marketing strategy and business partnerships vary and, hence, has kept them from breaking into the Leaders quadrant. Novell have been in the User-provisioning market for some time and have been making steady progress.

34. Niche Definition Niche players offer viable, dependable solutions that meet the typical needs of buyers. Niche players are less likely to appear on shortlists but fare well when given a chance. While they generally lack the clout to change the course of the market, they should not be regarded as merely following the leaders. Niche players may address subsets of the overall market, and often they can do so more efficiently than the leaders. Clients tend to pick niche players when stability and focus on a few important functions and features are more important than a “wide and long” road map. Microsoft has a basic User-provisioning product in MIIS and relies on partners to round out its offering.

35. Market Disruption Two fundamentally different ways to solving the security administration problem are the User-provisioning (middleware) approach and the enterprise access management approach. All vendors, except Microsoft, are taking the middleware approach, which addresses the management of the complex authentication environment that has evolved during the past 20 years.

36. As long as enterprises are willing to make Active Directory their central authentication service and rely on the access control infrastructure of the Windows server, fewer user IDs will be needed, and those that remain can be managed as an Active Directory account. Microsoft partners, such as Centrify and Quest Software, are building tools to provide the translation of Unix, Linux, Mac OS, VMware, WebSphere, WebLogic, JBoss and Apache accounts so that they can be managed as Active Directory accounts. Microsoft Identity Integration Server (MIIS) is required to provision user accounts and synchronise user profile information between target systems (until such time that only one Active Directory user account is needed).

37. This means that Microsoft would: • Own the strategic user repository (Active Directory) in most accounts • Drive the primary authentication for both network operating system (NOS) and Web connections • Drive the application-level authorisation schemes • Clearly, this is a lot to accomplish but no other vendor is in a position to pull this off. The enterprise access management approach is not for everyone, especially if enterprises have a need right now for managing and reporting on the messy, complex user accounts environment that currently exist. This approach is also not for those enterprises that want to maintain an “open” authentication and authorisation infrastructure.

38. Novell IDM Novell was one of the vendors that took its meta directory product and evolved it into a Javabased User-provisioning product. Because earlier versions of its User-provisioning product were based on the meta directory product, it has strong data synchronisation and Resource Access Management capabilities, but it lacked certain core User-provisioning functions, such as self-service password reset and workflow, and it required a fair amount of consulting work for implementation. Novell has continually enhanced its User-provisioning offering (for example, graphical interface for connector management and Service Provisioning Markup Language support), and with the introduction of Identity Manager 3, it has a product that provides very good User-provisioning capabilities, albeit with a few oddities (such as, template workflow by the number of approval steps rather than User-provisioning function, for example, add a new user).

39. Novell has done a good job in focusing on the federal and state government sectors and overall customer satisfaction is high. To be the success it wants to be, Novell must be more strategic by adding capabilities around Role Management, ensure it has a Tier 1 Service Industry and provide a solution for the SMB market. Novell has done a good job selling its User-provisioning solutions to its target customers; however, Novell’s target audience is too narrow. Gartner wants Novell to expand its marketing and sales efforts to a broader range of customers.

40. Microsoft MIIS Microsoft’s User-provisioning offering, developed on the .NET platform, was originally built as a metadirectory product that now supports much of the heterogeneous IT infrastructure (connectors for SAP, PeopleSoft are in progress). It is a set of modules that must be integrated to make up a basic User-provisioning product. For example, workflow capability comes through BizTalk, with Visual Studio required for complex workflow and rule support, and Unix support comes through Services for Unix. There is no support for Service Provisioning Markup Language, role management nor out-of-the box reporting of any kind, although customers can use their existing reporting products to get access to the data in the MS-SQL database.

41. Gartner’s assessment of MIIS as a User-provisioning offering is that it is very much a consulting engagement. However, customers report that the software license fees and integration costs are so much lower than other User-provisioning product deployments, that it is worth the effort. Microsoft has not productised capability (for example, workflow templates, developed by Microsoft Consulting Services from its deployments).

42. Microsoft’s next planned release in the second half of 2007 will be comparable with today’s User-provisioning product offerings, with workflow provided at the Windows server level. But because the two different strategies to solving the security administration problem – middleware vs. enterprise access management – are not well articulated nor understood in the market, comparing MIIS with a middleware User-provisioning product will result in MIIS not measuring up 100 percent.

43. Lower costs and the growth in Active Directory as the central enterprise authentication service will likely propel Microsoft into the Leaders quadrant within the next 24 months.

44. Infoworld Review ‘05 ! http://www.infoworld.com/article/05/10/07/41FEidm_1.html?s=feature

45. Native System Connectivity operating systems Microsoft Windows NT 4.0 Microsoft Windows 2000, 2003 SUSE LINUX Debian Linux FreeBSD Red Hat AS and ES Red Hat Linux HP-UX IBM AIX Solaris UNIX Files - /etc/passwd other Delimited Text Remedy (for Help Desk) SOAP DSML SPML Schools Interoperability Framework (SIF) pbx Avaya PBX enterprise applications Baan J.D.Edwards Lawson Oracle Peoplesoft SAP HR (MIIS via delimited text) SAP R/3 4.6 and SAP Enterprise Systems (BASIS) SAP Web Application Server (Web AS) 6.20 Siebel enterprise message bus BEA IBM Websphere MQ Open JMS Oracle JBOSS Sun TIBCO mainframe RACF ACF2 Top Secret midrange OS/400 (AS/400) database IBM DB2 Informix Microsoft SQL Server MySQL Oracle Sybase JDBC directories Critical Path InJoin Directory IBM Directory Server (SecureWay) iPlanet Directory Server Microsoft Active Directory Microsoft Windows NT Domains Netscape Directory Server NIS NIS + Novell NDS Novell eDirectory Oracle Internet Directory Sun ONE Directory Server LDAP email systems Microsoft Exchange 2000, 2003 Microsoft Exchange 5.5 Novell GroupWise Lotus Notes IDM3 Black MIIS Red

46. Supported Platforms • MIIS • Windows Server 2003 Enterprise edition • (NB. Also requires SQL server 2000) • IDM3 • NetWare 6.5 SP3 or later • Novell Open Enterprise Server—NetWare or Linux • Windows 2000 or 2003 • SUSE Linux Enterprise Server 9 or 10 • Red Hat Linux AS 3.0 • Solaris 8, 9 or 10 • AIX 5.2L

47. Getting it all configured • MIIS • Designer GUI • Does not natively integrate with AD (uses SQL2000) • Requires Visual Studio and coding for most things • Not real time synchronisation • SQL2000 able to be replicated • No identity auditing capability • Partner support excellent • IDM3 • Most powerful Designer GUI • Natively integrates with eDirectory • Self documenting • Still needs XML coding for certain things • Real time synchronisation • No native failover • In built auditing • Partner support excellent

48. What’s it going to cost ? • MIIS • MIIS 2003 SP1, Enterprise Edition per CPU (including all MS connectors) • £13,400 • Windows Server 2003 R2 Enterprise Edition • £2,222 • Windows Server 2003, Client Access License 20-pack • £444 • SQL Server 2005 Standard Edition • £3,333 • Total investment £19,399 • IDM3 • IDM3 (including Microsoft Active Directory, Microsoft Windows NT, Novell GroupWise, Microsoft Exchange, Lotus Notes, Novell eDirectory and other LDAP v3 directories) + Audit + User application with user self service and password management • £13.88 per user • Optional Provisioning Module for Novell Identity Manager 3 (Approval workflow system and Self-service Resource Request) • £5.55 per user • Optional integration modules • From £3.33 per user • For comparison 1400 users @ £13.88 is £19,432 All prices exclude VAT, maintenance and discounts £/$ Exchange rate rate of 1.8

49. What’s in it for the users ? • MIIS • Password self-service (reset now pulled from SP2) • IDM3 • Password self-service • User Administration • White pages and organisational charts • Workflow • Resource request

50. What’s in it for your boss ? • MIIS • Good ROI (sometimes excellent) • Microsoft integration • Nobody’s yet been fired for buying MS ! • IDM3 • Audit and compliance • Good ROI • Open source integration • Past, present and future system integrations