Most would agree that identity management, in general, is a complex problem. In this technical brief, we explore how companies, that have chosen Active Directory® (AD) as an identity repository, can utilize Quest Software’s solutions to leverage their investment in AD. This enables more efficient identity and role provisioning, password management capabilities, and audit and compliance reporting.
written byJackson ShawSenior DirectorProduct ManagementActive Directory and Integration SolutionQuest Software, Inc.T echnical BriefSimplifyingIdentity ManagementUntitled Document Copyright Quest Software, Inc. 2006. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: firstname.lastname@example.org U.S. and Canada: 949.754.8000 Please refer to our Web site for regional and international office information. Updated May 18, 2006 Untitled Document i ABSTRACT Most would agree that identity management, in general, is a complex problem. In this technical brief, we explore how companies, that have chosen Active Directory (AD) as an identity repository, can utilize Quest Software s solutions to leverage their investment in AD. This enables more efficient identity and role provisioning, password management capabilities, and audit and compliance reporting. Untitled Document ii CONTENTS ABOUT QUEST SOFTWARE, INC. ..................................................................3 CONTACTING QUEST SOFTWARE......................................................................... 3 CONTACTING CUSTOMER SUPPORT...................................................................... 3 INTRODUCTION ..........................................................................................5 DEFINING IDENTITY MANAGEMENT............................................................6 IDENTITY MANAGEMENT THE END USER PERSPECTIVE............................7 IDENTITY MANAGEMENT THE ORGANIZATIONAL PERSPECTIVE ..............9 AUDIT COMPLIANCE AND REPORTING ................................................................... 9 MONITORING ............................................................................................. 10 IDENTITY MANAGEMENT IN THE HETEROGENEOUS ENTERPRISE..............11 ACTIVE DIRECTORY ONLY .............................................................................. 12 ACTIVE DIRECTORY-CENTRIC .......................................................................... 13 DIRECTORY AGNOSTIC.................................................................................. 14 THE QUEST ADVANTAGE............................................................................16 SIMPLIFYING IDENTITY MANAGEMENT REAL COMPANIES, REAL SOLUTIONS......................................................................................18 SOUTHERN COMPANY GETS TO ONE .................................................................. 18 SIEMENS AUTOMATES PROVISIONING ................................................................ 21 SIMPLIFYING IDENTITY MANAGEMENT IN FINANCIAL SERVICES................................... 22 SUMMARY .................................................................................................24 RESOURCES...............................................................................................25 Untitled Document 3 ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows Management solutions simplify, automate and secure Active Directory, Exchange and Windows, as well as integrate Unix and Linux into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: 949.754.8000 (United States and Canada) Email: email@example.comMail: Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.comPlease refer to our Web site for regional and international office information. Contacting Customer Support Quest Software s world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/supportEmail at firstname.lastname@example.org. You can use SupportLink to do the following: " Create, update, or view support requests " Search the knowledge base " Access FAQs " Download patches Untitled Document Untitled Document INTRODUCTION Since the release of Windows 2000, there has been a significant adoption of AD in organizations. According to Microsoft and other industry reports AD is in use at 75 percent of all companies in North America and Europe, and is gaining a strong foothold outside of these regions. This level of adoption is unprecedented. Gartner Group1, an industry analyst firm, has made the following predictions with respect to AD: " By 2010, at least 90 percent of mid-size and large enterprises will have deployed AD " By 2010, at least 40 percent of mid-size and large enterprises will use third-party tools to extend the value of AD It is fairly easy to see that AD today, and in the future, will be a significant, if not strategic, component of most IT infrastructures. Additionally, most end users will be logging into an AD-enabled network, which means the majority of their interactions will be centered on AD (i.e., authentication, password reset and accessing required information about co-workers). With this in mind, there are a number of ways that a company can look to simplifying its identity management infrastructure and execution in an AD-centric organization. 1 Ten Recommendations for Microsoft Active Directory in 2006, December 22, 2005 ID Number: G00136521 5 Untitled DocumentSimplifying Identity Management DEFINING IDENTITY MANAGEMENT As a first step towards simplifying identity management, let s try to define it. Unfortunately, if you asked five people to define identity management, you would probably get at least five different answers to the question. Over the last few years, the term identity management has become overloaded and overused. Let s take two leading company s identity management definitions: " Novell defines identity management as something that allows you to integrate, manage and control your distributed identity information, so you can securely deliver the right resources to the right people anytime, anywhere. " Microsoft defines identity management as combining processes, technologies and policies to manage digital identities, and specify how they are used to access resources. These definitions are different and can be interpreted in different ways, which gives rise to questions regarding what specifically each company can actually deliver. Most companies in the identity management market define identity from the viewpoint of the customer the enterprise. I would like to define identity management from the viewpoint of the other customer the end user as follows: The organization knows who I am and what my role is, and based on that information, automates my access to resources. This enables my ability to get to what I need and to do my job in a timely fashion. The identity management project leader might add: Plus, the organization is able to effectively operate such a solution, so that monitoring, audit and reporting are easily accomplished. 6 Untitled DocumentTechnical Brief IDENTITY MANAGEMENT THE END USER PERSPECTIVE Let s examine the components of a solution that enables the end user s definition of identity management: Authentication Services This is all about verifying that who you say you are is correct. This is the typical role for a directory service. You present your credentials (userid and password, smart card, certificate, etc.) to the directory service where it is checked. You are considered authenticated if it is deemed valid. Single Sign-On or Reduced Sign-On The concept of single sign-on has been around for many years. Some consider it the Holy Grail of identity management: Using one credential to authenticate to all the systems you need access to. Unfortunately, true single sign-on has never been delivered. However, reduced sign-on, or the ability to use one credential to access multiple systems, is possible. Access Management Access management ensures that end users have access to the resources that they need, (i.e. a mailbox, files or directories, printers, etc.). Password Management The most vital component of password management is that it enables end users to help themselves. One of the highest help desk costs, in both time and money, is the cost associated with password resets. In addition, administrators spend inordinate amounts of time doing group and list management. Unfortunately, no system can automate all aspects of the lifecycle of an end-user s identity. There is also a strong requirement to provide easy-to-use interfaces that enable end users to help themselves with respect to the various tasks. Tasks include password resets, changing identity data (i.e. mobile phone number, home address), and creating, updating, discontinuing membership in, or joining distribution lists. All of these tasks are relatively costly, both from a help desk or administrator perspective and an end user productivity perspective. 7 Untitled DocumentSimplifying Identity Management Provisioning In the most general terms, provisioning is all about ensuring that end users have access to the resources they need to do their job. It is as basic as creating, deleting or updating an end user s computer accounts. It usually also includes provisioning resources that are assigned to that user specifically (i.e. a mailbox, home directory, disk quota, etc.) or to their role (i.e. manager, purchasing officer, benefits clerk, etc.). Resources assigned to the user are typically more permanent or static, while role-based resources tend to be more transitory, being influenced as an end user moves from one role to another within an organization. Federation A relatively new concept, federation enables a company s employees to authenticate to a partner s network, without needing an account on the partner system. They are then able to authenticate with the same credentials they used within their company. Meta-directory A system that integrates, joins or synchronizes identity information, between a number of different identity repositories. 8 Untitled DocumentTechnical Brief IDENTITY MANAGEMENT THE ORGANIZATIONAL PERSPECTIVE For security, regulatory compliance and audit reasons, an effective means to track and report on the transactions, taking place within and through the identity infrastructure, is an absolute requirement. Additionally, in environments where AD is being relied on, both for end user authentication and as a strategic directory, it becomes critical to be able to proactively monitor it. In the cases where a company does not have a large number of dissimilar systems, or the dissimilar systems are all easily integrated through a standards-based approach, it is possible to simplify implementing an identity management solution. Even in the cases where an organization has already implemented an identity management framework solution, there are ways to simplify and increase the reliability of that implementation. In the following section we examine these scenarios. Audit Compliance and Reporting Tracking who did what, where and when. This is all about logging and summarizing significant authentication and authorization events or changes to objects and resources. It is a critical component of compliance requirements and security initiatives. 9 Untitled DocumentSimplifying Identity Management Monitoring The availability of the underlying AD service and its components, such as replication, is very important. A company needs real-time diagnostic tools for troubleshooting and resolving AD replication, performance and availability problems, preferably before those problems become critical. 10 Untitled DocumentTechnical Brief IDENTITY MANAGEMENT IN THE HETEROGENEOUS ENTERPRISE If we categorize Windows enterprises from an AD perspective, we will find that there are typically three types of organizations: 1. Active Directory Only This is the organization that is 100 percent based on AD. The majority of its IT infrastructure is based on Windows. The organization has no other systems or directories, or at least none that it is interested in integrating. 2. Active Directory-Centric This organization considers AD to be at the center of its IT infrastructure. If asked, the organization would consider AD to be strategic . However, the organization may have a significant investment in other platforms (i.e. Unix or Linux) and non-Windows technologies. 3. Directory Agnostic This organization considers AD just to be another directory within its infrastructure. The organization may have a large Windows environment. However, the Windows environment is just part of a larger overall heterogeneous environment that the company has had for a long period of time, (i.e., mainframes, mini-computers, Unix and Linux). Each of these organization types has made a major investment in AD, and is relying on AD for key identity management capabilities within its Windows world. However, the organization s reliance on AD, and the opportunity to leverage AD for advanced identity management, has limited the prominence it has placed on the AD infrastructure. Let s examine each type of organization more closely. 11 Untitled DocumentSimplifying Identity Management Active Directory Only For an organization that is entirely Windows, AD provides a robust foundation for Identity Management. In this situation, the core authentication, single sign-on and access management functions of identity management are performed by AD. Due to Microsoft s strict adherence to industry authentication and access standards (namely Kerberos and LDAP), an AD-only organization can enjoy compliant, secure and scalable authentication and access out-of-the-box . However, AD lacks some capabilities, which many organizations place a large emphasis on in their identity management strategies. For example, automated provisioning, password management (including end user self-service), and advanced audit and reporting capabilities, must be delivered by third-party tools that add these advanced identity administration capabilities on top of AD s native capabilities. Quest Software has developed standards-based solutions that add these types of capabilities to an AD-only identity management implementation. The value of these solutions is their use of critical AD-based data in precisely the way Microsoft designed AD. This enables a solution such as Quest s provisioning product, Quest ActiveRoles Server to add the required value and functionality, without requiring proprietary integration or additional infrastructure. A comprehensive identity management solution can be implemented by combining what AD already does well with powerful, natively integrated solutions for provisioning, password management, and audit and compliance. It s all there. And it s all based on existing infrastructures, skills and solutions. Thus, identity management is dramatically simplified, when compared to the traditional complexity of a framework or proprietary solution, to deliver the same set of capabilities. 12 Untitled DocumentTechnical Brief Active Directory-Centric For the large heterogeneous enterprise with a significant investment in AD, the complexity of identity management is multiplied. As discussed above, AD does a great job of several core identity management functions (authentication, single sign-on and access management). Those benefits are inherent in the AD-centric enterprise s management of its Windows resources. In addition, the power of adding provisioning, password management, and audit and reporting capabilities to the Windows world are just as valid for the AD-centric enterprise, as they are for the AD-only organization. Windows is only part of the organization though. The AD-centric organization also has a significant investment in a number of non-Windows systems. A mix of Unix, Linux and Java systems often provide core business functions, and the identity management that those mission-critical components demand. Unfortunately each Unix, Linux or Java system requires its own identity store (similar to what AD provides for Windows), its own authentication mechanism, and its own process for provisioning, password management and/or audit. And often those processes are manual and cannot offer the flexibility of the AD-based solutions that are available in a Windows-only world. As the number of systems and platforms increases, so does the complexity of identity management. Imagine the provisioning process in a large heterogeneous enterprise. As a simple example let s take an organization with a large Windows network and five Unix systems of varying platforms. Users assigned to the Accounting group and the Manager role must access all six systems to do their job. As a new manager in the accounting group joins the company, IT must provision (or assign) access and authentication for all six systems. The provisioning task in Windows is relatively simple (and possibly automated through a solution such as Quest s ActiveRoles Server). As the new employee is entered into the HR system, the role and group automatically initiate assignment of all appropriate rights, identity and access in the Windows systems. However, no such automation exists for the Unix and Linux systems. IT must manually visit each Unix box and manually assign rights and access, according to the authentication mechanism and directory service available to each system. The complexity is further exacerbated since each non-Windows system may require different identity information and password rules. The end result is one user, in one job, with six separate digital identities to gain access to six different systems. When the user forgets one of their passwords, they must call IT ,because the Unix and Linux systems cannot take advantage of a Windows-based self-service password reset solution, such as Quest Password Manager. IT must manually reset the Unix and Linux password, which takes them away from their core responsibilities. The same challenges face organizations, seeking to audit heterogeneous systems for compliance and security. 13 Untitled DocumentSimplifying Identity Management The AD-centric enterprise already enjoys a number of benefits from its AD-based identity management solution for Windows resources. Imagine the additional benefit if Unix, Linux and Mac systems, and applications could be included in the same strategy. If AD could be the authoritative authentication and access management source for Windows, Unix, Linux and Java, the six repetitive tasks in our scenario could be reduced to one. And that one task would be the same one, already performed within AD for Windows resources. Quest provides the integration that allows such a capability. Through Quest Vintela Authentication Services solution, Unix and Linux systems and applications can actually join the AD domain for a single source of authentication, access management and single sign-on (or reduced sign-on). Similarly, Quest Vintela Single Sign-on for Java solution provides true AD-based single sign-on and authentication for Java systems, (including the previously discussed federation scenario). Now, with these systems participating as full citizens in AD, the capabilities of provisioning, password management and audit tools that previously were limited to Windows systems can expand their scope and benefit to Unix, Linux and Java as well. The prospect of simplifying identity management is extremely relevant and achievable for the AD-centric enterprise. Directory Agnostic Some organizations either by chance or design remain on the fence concerning the strategic importance of AD in their identity management strategy. Typically, these companies have adopted a large security framework (or meta-directory) to deliver comprehensive identity management capabilities. In such a case, the industry-leading authentication, access management and single sign-on capabilities of AD can only benefit the Windows portion of a larger identity management initiative. For the directory agnostic organization, there is still significant opportunity to simplify identity management. Major benefits can be realized through this approach. Possible scenarios run the gamut. On one end, implementing advanced identity administration capabilities such as provisioning, password management and audit to AD, can dramatically improve the identity management of Windows systems. At the other end of the spectrum, meta-directories require unique and complex integration with all affected systems. These connections and their associated synchronization activities must be maintained thus adding to the overall complexity of such an approach. Any solution that can reduce the number of moving parts can help make the directory agnostic identity management initiative more cost-effective, easier to manage, and more secure and compliant. 14 Untitled DocumentTechnical Brief All of the benefits that cross-platform integration with AD can offer to the AD-centric organization, can also be realized by the directory agnostic company. A meta-directory can still provide great value as the identity management point for legacy systems and applications that cannot join the AD domain through Quest solutions. The following table addresses the components of identity management, discussed previously with the Quest products that address those needs for the three types of organizations AD only, AD-centric and directory agnostic. Quest Software Identity Management Component Product Matrix TYPE OF ORGANIZATION FOCUS COMPO-NENT ACTIVE DIRECTORY ONLY ACTIVE DIRECTORY-CENTRIC DIRECTORY AGNOSTIC Authenti-cation Provided by AD Provided by AD Provided by AD Single Sign-On Provided by AD Vintela Authentication Services for reduced sign-on with Unix and Linux Vintela Single Sign-on for Java Vintela Authentication Services for reduced sign-on with Unix and Linux Vintela Single Sign-on for Java Self-Service Password Manager Self-Service Manager ActiveRoles Direct Password Manager Self-Service Manager ActiveRoles Direct Password Manager Self-Service Manager ActiveRoles Direct Provisioning roles and resources ActiveRoles Server ActiveRoles Server ActiveRoles Server UserFederation Vintela Single Sign-on for Java Vintela Single Sign-on for Java Vintela Single Sign-on for Java Audit and reporting InTrust for Active Directory Reporter InTrust for Active Directory InTrust for Unix Reporter InTrust for Active Directory InTrust for Unix Reporter Monitoring Spotlight on Active Directory Spotlight on Active Directory Spotlight on Active Directory Mana-gerRecovery Recovery Manager for Active Directory Recovery Manager for Active Directory Recovery Manager for Active Directory 15 Untitled DocumentSimplifying Identity Management THE QUEST ADVANTAGE As companies increase their reliance on AD and make it part of their strategic infrastructure, it is important to adopt best of breed products that can assure not only the availability of AD, but also allow an organization to leverage it. In other words, companies should seek out and adopt identity management products and solutions that do not treat AD as just another LDAP directory. Off-the-shelf identity management frameworks, or suites, do not provide the level of integration with AD that companies actually require. AD includes functionality above and beyond the functionality that is offered by other LDAP directories and the LDAP protocol itself. In order to take advantage of these advanced functions, an organization s identity management strategy, and the products adopted, must be specifically designed to make the most out of AD. Examples of some of these functions, and why they are important, are explained in the table below: MICROSOFT FEATURE NAME WHAT IS ITS FUNCTION? WHY IS IT IMPORTANT? Group Policy Enables IT administrators to automate, one-to-many, management of users and computers. Administrators can efficiently implement security settings, enforce IT policies and distribute software consistently across a given site, domain or range of organizational units. Active Directory Object Re-animation Deleted AD objects are retained in AD for a period of time, called the tombstone lifetime . If an AD user or object is deleted accidentally or otherwise it is possible to recreate it, without losing the object s security identifier or other attributes. Kerberos Authentication Group Membership Extensions Supports group membership information for the Microsoft Windows operating system. In one operation, a product can determine all of the AD groups that a user is a member of. If a product does not use this extension, it must make many calls to AD to determine this information. This is much more inefficient and time consuming. 16 Untitled DocumentTechnical Brief How well do the identity management products you are using, or considering using, integrate with AD? The examples above are only a subset of the many different ways that a product can integrate with AD. While AD is an LDAP-based directory service, it is important that any identity management product or suite treats AD as more than just another LDAP directory. Let s take the object re-animation feature as an example. If a person is accidentally deleted from AD, and then re-created by a typical identity management product that is not AD-aware, then that person would no longer have access to any of the files or directories they had access to prior to the deletion. In addition, all group memberships would have to be re-created. This would certainly not be the ideal state to recover that user to, nor would it simplify the life of either the restored end user or the administrator. Quest has been a leader in the AD management, administration and monitoring field for many years. Our products are tightly integrated with AD and the Windows Server platform, to provide the best possible value to customers that have made AD an integral and strategic part of their IT infrastructure. Quest can help you simplify, enhance and protect your AD and identity management investments. 17 Untitled DocumentSimplifying Identity Management SIMPLIFYING IDENTITY MANAGEMENT REAL COMPANIES, REAL SOLUTIONS While it is obvious that identity management means different things to different people, the underlying theme that faces virtually every company is the need to enhance security, compliance and control, while also enhancing operational efficiency and reducing costs. Identity management is one area where costs can spiral out of control, while the benefits realized never seem to materialize. Quest s approach to helping organizations simplify identity management allows those organizations to leverage existing investments, in order to maximize the benefit of identity management whatever that means to them. Following are a few real-world examples of actual companies that have implemented all, or part, of this strategy. Southern Company Gets to One Southern Company is one of the largest energy producers in the United States. The company s enterprise includes more than 20,000 Windows desktops and 800 Windows servers, as well as 350 Unix servers. Historically, Southern Company had a fundamental problem with the authentication and identity management of users on Unix resources. The company s Unix user IDs (UID) and group IDs (GID) didn t match the UID and GID in Microsoft AD for its Windows systems. With no centralized process, or technology to manage access and identity on Unix systems, basic management tasks resulted in inefficient use of personnel. For example, basic password management tasks were falling to Tier 3 support people, rather than the help desk. Southern Company found that the same person could have several different IDs across the whole range of Unix systems. And these IDs were most-likely different from their UID in AD. To muddy the waters even further, there were a number of cases where the same ID number actually represented two different employees on two different systems. 18 Untitled DocumentTechnical Brief The company identified three main areas of identity management that needed improvement. First, the fragmented infrastructure meant that password expirations simply weren t being enforced. Second, password change and maintenance was taking place physically at each Unix box by Tier 3 support personnel, resulting in a long delay between an employee s termination and complete Unix de-provisioning. And third, the existing infrastructure provided no way to standardize UID and GID, resulting in redundant and conflicting identities across the range of Unix systems. Southern Company falls firmly into the AD-centric camp discussed above. The company realized that the savings achieved by centralizing its Windows environment around AD, would be amplified if it could do the same thing for its Unix systems. But Unix systems are so diverse, and with no native integration between the environments, the goal seemed out-of-reach. Southern Company implemented Vintela Authentication Services. The solution allowed all of the company s Unix systems (the entire range of Solaris and HP), become full participants in our AD environment. The result is a single point of management for all user IDs, passwords, groups and group memberships, regardless of platform. 19 Untitled DocumentSimplifying Identity Management Among the tangible benefits Southern Company is realizing through its simplifying identity management project, the company lists the following as the most compelling: " Internal customers now have only one ID and password to keep up with. They can have any Unix identity and password issue handled directly by the help desk. " Through Vintela Authentication Services, the delegated administration features utilized in AD (to allow business-unit data owners to maintain the groups that protect their data), can now be extended to Unix systems. " Employee status changes and de-provisioning are now automatically coordinated across all platforms. " A centralized password policy for all resources (Windows, Solaris and HP-UX), and operating systems is now in place. " Vintela Authentication Services empowered scalability to allow additional capabilities in AD to apply equally to Unix resources. In the future, Southern Company may choose to further simplify its identity management practice by bringing advanced identity administration capabilities provisioning, password management and audit to its Windows systems. This is completed by extending those solutions to its Unix systems, which have already joined the AD domain through Vintela Authentication Services. 20 Untitled DocumentTechnical Brief Siemens Automates Provisioning With 22,000 users in its global AD domain, Siemens Power Generation needed a powerful AD management and user provisioning solution. The company selected Quest ActiveRoles Server for its functionality and openness. The solution had the specific functions that Siemens Power Generation was looking for. The functions were already built into the user interface and did not require additional scripting in order to start using the tool right out of the box. In addition, it had the flexibility required to accommodate specific needs, given the various operational differences that exist globally. ActiveRoles Server combines identity management with a powerful role-based administrative system that securely separates the administration framework from the AD design. Templates simplify the process of managing delegated permissions and ensure consistency across the organization. A secure architecture offers advanced reporting to enable change tracking and security auditing. ActiveRoles identity management capabilities automate administrative processes and apply business rules to directory changes. This reduces administrative time, enhances security and ensures data consistency. 21 Untitled DocumentSimplifying Identity Management Additional benefits of the system include: " Permission Management: ActiveRoles Server has significantly simplified managing permissions across Siemens Power Generation s multiple IT operations, while providing an open administrative framework that can be extended across the Siemens organization when centralized user management is implemented. " Policy Enforcement: ActiveRoles Server automatically applies naming conventions. Possible conflicts are identified before changes are applied to AD. " Change Tracking: Siemens Power Generation can now track changes to AD and easily determine who made changes to what attributes of a directory object. This is very helpful in troubleshooting. " Security: Fewer people have direct administrative access to AD, enhancing security. Security is also enhanced through change auditing, which improves permission management. As the company s identity management approach matures, Siemens Power Generation may choose to extend the provisioning power of ActiveRoles Server to its Unix, Linux and Java systems. This can be seamlessly accomplished by integrating those systems with AD through Quest s Vintela Authentication Services and Vintela Single Sign-on for Java products. Simplifying Identity Management in Financial Services One of the world s largest and most well-respected financial services companies falls firmly in the AD-centric category. With a very large Windows network based in AD, and thousands of Unix and Linux systems spread throughout the world, identity management at this company suffered from all of the challenges discussed throughout this paper. In separate tracks, the company pursued a provisioning automation project for its Windows systems (ActiveRoles Server was the chosen solution), and a cross-platform identity integration initiative (through Vintela Authentication Services). Both projects returned significant ROI, which prompted the company to pursue extending its AD-based provisioning solution to its Unix and Linux systems. A natural byproduct of the standards-based approach to identity, used in all Quest products, was seamless integration of the two solutions. This integration resulted in a simplified approach to identity management. Needless to say, ROI for the combined solution far exceeded each individually. 22 Untitled DocumentTechnical Brief Password Consolidation at a Large Financial Institution One of the United States largest banks and one of the 10 largest AD installations in the world found that the task of password management, for a very diverse and widespread enterprise, was costing one million dollars a month. The typical user at this bank had 18 separate identities, and consequently 18 separate usernames and passwords. In an effort to overcome this obviously inefficient and possibly non-compliant practice, the bank spent several million dollars on various password synchronization solutions. Unfortunately, these solutions did not address the underlying problem too many UIDs and passwords and the monthly password management expense did not decrease. The bank adopted Vintela Authentication Services and immediately was able to consolidate identities, from 18 down to two, by bringing all Unix and Linux systems into AD. With a gradual roll-out of the solution, the bank was able to realize an immediate 35 percent decrease in password resets alone. In fact, the ROI increases as the rollout continues. Currently, Vintela Authentication Services and AD are responsible for more than two million Internet-based customer authentications a day. Imagine the increased benefit if the company would implement a self-service password management solution, such as Quest s Password Manager. Undoubtedly, the help desk burden would decrease even more if users could reset their own passwords. And this capability could be extended across platforms through the already-implemented Vintela Authentication Services solution. 23 Untitled DocumentSimplifying Identity Management SUMMARY Compliance initiatives, security concerns and operational efficiency all demand effective management of user identity and access. Identity management means distinctly different things to end users and to IT. However, the underlying concepts of authentication, access management, single (reduced) sign-on, federation, provisioning, role management, password management and audit, cover the needs of both camps. For most organizations, IT complexity namely the high number of identities that must be managed on a large collection of heterogeneous systems has resulted in an inefficient, costly and cumbersome identity management approach. Fortunately, most organizations have already implemented the core of effective identity management (Microsoft AD) for their Windows systems. But nothing similar exists for Unix, Linux and Java systems and applications. So organizations continue to add complexity, expense and possible non-compliance. Quest offers solutions that allow organizations to simplify identity management. Quest s Vintela Authentication Services and Vintela Single Sign-on for Java extend the authentication, access and single sign-on capabilities of AD to Unix, Linux and Java systems and applications. Simply allowing those systems to join the AD domain, and participate as full citizens in the secure and complaint AD infrastructure, can dramatically streamline cross-platform identity management. In addition, Quest offers solutions that add advanced identity administration capabilities to an existing AD implementation. For example, Quest allows organizations to enhance AD with the following: provisioning and role management (through ActiveRoles Server); password management and user self-service (through Quest Password Reset Manager); and audit and reporting (through Quest InTrust for Active Directory and Quest Reporter). Then these advanced capabilities can be seamlessly extended to Unix, Linux and Java systems, through Vintela Authentication Services and Vintela Single Sign-on for Java. Thousands of companies have adopted Quest solutions for simplifying identity management. Each has experienced increased operational efficiency, enhanced security and a path to regulatory compliance. You could be the next. 24 Untitled DocumentTechnical Brief 25 RESOURCES Microsoft s Active Directory Web site: http://www.microsoft.com/AD Quest Solutions for Windows Management: http://www.quest.com/windows_management/