Today's identity management technologies and products are often remarkably complex. In spite of this, value-added resellers (VARs), consultants and system integrators are successfully selling and deploying identity management products.
Success though becomes a great likelihood when the products are channel-friendly. Channel-friendly identity management products provide quick return on investment (ROI) for the customer, enabling the solution provider to demonstrate the product's value, and have simpler deployment models, making it less likely that a deployment will face complications or fail altogether.
So, ordered by ease of deployment, here is a list of the most effective identity management technologies to offer customers.
Strong authentication products
Strong authentication products are perhaps the oldest, best-selling identity management products for VARs, specifically those products featuring hardware-based one-time password (OTP) devices. OTPs fit the VAR model particularly well because of the simple deployment model: There's no workstation software to deploy, and integrating the strong authentication server and the target resource is typically simple. In many cases, an organization purchases an OTP product to protect remote access devices, which are easily integrated with the OTP server via the Remote Authentication Dial-In User Service (RADIUS) or Extensible Authentication Protocol (EAP) networking protocols.
Workstation-based biometric products are frequently coupled with enterprise single sign-on (SSO) technology. Enterprise SSO introduces additional security considerations, because access to many applications relies upon one initial password. Strong authentication solves the enterprise SSO "keys to the kingdom" problem because it replaces the initial password with stronger authentication (for example, OTP, smart card or biometrics). Biometric technology requires the installation of workstation hardware and software, and consultants and system integrators can assist customers with the deployment.
Enterprise single sign-on (SSO) software
Enterprise SSO software resides on a user's workstation, and replays password credentials after the user clicks on the target application icon. The result is single sign-on (or more realistically, sign-on reduction). Like workstation biometrics, enterprise SSO requires client software deployment, but that process is relatively simple. In addition, many enterprise SSO products have largely moved from "customization" to "configuration," making them much simpler to get up and running. Still, in many cases customization work is necessary and consulting or integration services will be needed. Biometric fingerprint readers from well-known vendors will make the deployment go much smoother, as the enterprise SSO product will support the reader "out of the box."
Active Directory (AD) bridge products
AD bridge products enable centralized authentication and authorization management of non-Windows platforms, using Microsoft tools like Active Directory Users and Computers and Windows Group Policy. The deployment model is relatively simple: install the software on a workstation or server, then "join" the machine to Active Directory, just like joining a Windows machine to the domain. After a few configuration steps, the Unix user originating from the workstation or server will now authenticate against Active Directory. These steps don't typically require consulting or integration work.
Setting up Unix authorization via Active Directory is more complicated. The conduit for authorization is Windows Group Policy, which has a tricky policy application framework. The result is that policy application may not work as intended and may require some troubleshooting. The centralized management of non-Windows users via Active Directory can be challenging as well, particularly if the environment has many Unix namespaces (that is, different usernames and UIDs for the same user). However, with the proper configuration, all of the AD bridge products have the ability to map multiple Unix namespaces to a common Active Directory identity. In these scenarios, consulting services are required.
Web access management systems
Web access management systems provide authentication, single sign-on and authorization services for heterogeneous Web applications. Unlike enterprise SSO, workstation software is not required; a Web browser is all that is needed. Still, Web access management deployments can be complex due to the required integration with other identity management components (for example, directory services and strong authentication, and potentially provisioning) and enterprise resource planning (ERP) applications. System integrators can provide custom Web access management components, and consultants can assist with architecting the system for performance and high availability.
Despite the general complexity of identity management products, many types of products can be considered channel-friendly, including strong authentication, enterprise SSO, Active Directory bridge and Web access management. Channel-friendly identity management products provide quick return on investment and require no customization -- attributes that make customers happy.
This was first published in April 2009