Tools4ever Identity and Access Management. A step-by-step transition from requirement to realization

Transcription

1 Tools4ever Identity and Access Management A step-by-step transition from requirement to realization

2 Contents CONTENTS... 2 MANAGEMENT SUMMARY PREFACE A DEFINITION OF IDENTITY MANAGEMENT TOOLS4EVER IAM GENERAL ORGANIZATION HR SYSTEM, DATA WAREHOUSE OR CORE REGISTRATION PROVISIONING WORKFLOW & SELF-SERVICE ACCESS GOVERNANCE Role analysis: collect, correlate and analyze Role design Active role management AUTHENTICATION ACCESS MONITORING WHAT ARE THE DISTINGUISHING FEATURES OF TOOLS4EVER IAM? A PHASED IMPLEMENTATION METHOD A BROAD RANGE OF CONNECTORS AN END-TO-END PORTFOLIO SCALABILITY CONCLUSION

3 Management Summary Identity & Access Management (IAM) is increasingly being deployed in organizations. This stems from the recognition that a forward-looking approach to Identity & Access Management is crucial to achieve cost savings and foster innovation. From a technical perspective, the main drivers for applying IAM are increasingly complex IT infrastructures that comprise cloud applications, the need to cater for users who access the company network using their personal devices (BYOD) and virtualized environments. The strict laws and regulations (FISMA, HIPAA, SOX, FERPA) also form important drivers. Tools4ever defines IAM as technology for managing user identities and their access privileges for various systems and platforms. Its IAM features all the components that, according to Gartner (Magic Quadrant for User Administration & Provisioning and Magic Quadrant for Identity and Access Governance), should form part of an IAM solution. Tools4ever distinguishes the following main components of IAM: Authentication Management (identity verification), Authorization Management (management of access privileges), Administration (user account management automation) and Monitoring & Auditing (reporting on network actions for auditing purposes). Organizations that implement an IAM solution go through various stages of maturity with regard to the professionalization of Identity Management. To ensure a manageable IAM implementation, Tools4ever recommends rolling out the IAM solution step-by-step. This also means that the investment will be evenly spread across a longer period, and that the organization can quietly get accustomed to the new processes with each step. A number of IAM processes can be distinguished that coincide with the steps Tools4ever uses for the implementation of its IAM solution. These processes/steps comprise (in random order): u Provisioning/user management: All users and their access privileges and relations are centrally stored in what is called a core registration. Based on the (modified) data in the core registration, user authorizations are automatically assigned or revoked. This prevents former employees having unauthorized access to the company network. u Workflow Management & Self-service: This component allows employees to easily request changes and implement them in the IAM system using a web interface. Upon approval by a manager or other authorized personnel (e.g. a license manager), requests are automatically followed up and implemented in the IT infrastructure. This results in a more efficient user management process, while all actions are centrally logged and reported. u Access Governance: This component ensures that employees can only access the applications and components they need for their work. Audits can be easily met because users are always directly and easily assigned the correct authorizations. u Authentication: Tools4ever offers various solutions that help organizations solve several authentication issues. They cover recent authentication methods (two-factor authentication and portal SSO), as well as traditional methods (such as user name/ password combinations) and include Single Sign On, self-service password resets, password complexity and password synchronization. 3

4 u Access Monitoring: This component of Tools4ever IAM makes it possible to verify and control the actions that employees actually perform across the network. Among other things, it allows you to check who has moved, deleted or accessed a particular file at a certain point in time or which employees have access to a particular network share. Tools4ever offers the quickest and easiest solution for access control and security management. An advanced IAM solution can help companies control identities and access privileges in their complex IT networks and meet the strict laws and regulations. Tools4ever distinguishes itself through its phased implementation method: a stepby-step roll-out and user adoption across the organization. The solution can be implemented with a relatively small effort and in just days and/or weeks. However, each step of the integration of the solution in the organization usually takes approximately 3 to 6 months. Tools4ever develops all of its software in-house rather than acquiring it through mergers and acquisitions and integrating it later. The IAM solution by Tools4ever is not only suitable for enterprises with millions of user identities, but also for a small and medium-sized business with 300 employees or more. Many organizations have come to rely on Tools4ever s IAM solutions. 4

5 1. PREFACE Not so long ago, the IT department decided how employees operated in a strongly (DMZ) shielded network in which just a few different types of devices were used (laptops, PCs and thin-clients). Nowadays, however, end users increasingly demand more flexibility. They want to have access to systems, applications and business information from any location and any device (BYOD). As a result of a more flexible and dynamic workforce (freelancers, temping agents, temporary employees, third-party consultants) and supply chain integration, an increasing number of users need to have access to the company network including people who are not on the payroll. Recent developments such as cloud computing, BYOD, virtualization and federation has resulted in the IT infrastructure become increasingly complex, while laws and regulations concerning information security are becoming stricter by the day. The government places increasingly high demands, and a growing number of organizations are confronted with annual audits. All of this has quickly rendered the management of business information highly complex, and it is impossible to control this complexity with a manual process. Identity & Access Management (IAM) makes it possible to maintain compliance with the stricter laws and regulations in an increasingly complex IT environment. Selecting the right IAM solution will help you to stay abreast of the latest developments in the field of cloud computing, virtualization and BYOD at an acceptable investment, without sacrificing the organization s capacity to take action. 5

6 1.1 DEFINITION OF IDENTITY MANAGEMENT This white paper centers on the topic of Identity and Access Management (IAM). Tools4ever defines IAM as technology for managing user identities and their access privileges for various systems and platforms. Its product suite supports both User Administration and Provisioning (UAP), and Identity & Access Governance (IAG). This white paper covers Tools4ever s entire IAM product portfolio. Tools4ever distinguishes the following main IAM components: u Authentication Management: This component is used to verify whether a user s identity matches the person he or she claims to be. The most classic form of authentication is the use of a combination of user name and password. Authentication management covers all sorts of solutions that simplify or replace the use of user name and password combinations. Examples include two-factor authentication mechanisms, such as hardware tokens, smartcards or mobile phones. u Authorization Management: The primary aim of authorization management is to guarantee that users can only access applications and network resources that are strictly necessary for their work within the organization. Authorization management comprises techniques and processes that ensure access privileges are and remain correct. Areas of interest include defining and managing the access matrix, having deviations approved and verified by the responsible managers, audit support etc. u Administration: This component includes identity management tasks such as creating, modifying and deleting user accounts for systems and applications. Administration tools automate existing manual processes. A highly common approach is to link this with the HR system and Workflow Management. In this framework, management is often referred to as (auto) provisioning. It comprises the end-to-end automation of the account management process. u Monitoring & Auditing: This component is used to monitor what is taking place in the IT infrastructure. All user actions are stored and can be correlated to the access privileges that have been assigned using the Administration and Authorization Management component. The relevant data is collected, correlated, analyzed and reported for audit purposes. The findings can also be used to refine IAM rules and to control processes. 6

7 2. TOOLS4EVER IAM Tools4ever s IAM solution comprises multiple components. The relation between these components is shown in the diagram below. Organization HR data warehouse WFM / Self Service Access Governance Authentication Management Tools4ever IAM Provisioning Access Monitoring IT infrastructure 2.1 GENERAL The organization is leading as the information source for the IAM system. The organization determines which IT resources are required to support the business processes. Environments without an automated IAM system often need to use a chain of manual processes to ensure employees have the right access to resources. An IAM system can automate these manual processes. 7

8 2.2 ORGANIZATION An organization is dynamic; changes occur on a daily basis. The most common and relevant changes for the IAM system are related to the on boarding of new employees, job mobility (changes in role, department or location) and termination of employment. Less common, but still relevant changes are job matrix changes, reorganizations and changes with regard to compliance with laws and regulations (audits). Information on such changes can be supplied to the IAM system by a HR system or a workflow management/self-service interface. 2.3 HR SYSTEM, DATA WAREHOUSE OR CORE REGISTRATION An increasing number of organizations choose to use their HR system as the core registration for managing network identities and the assignment of facilities. In other words, if an employee is not included in the HR system, he or she will not be assigned any facilities (access card, desk, PC, etc.). Companies opt for the use of a central database that contains data for all employees active in the organization. If this type of data is available in multiple systems rather than a single HR system, a composite source system is created. This is often referred to as a data warehouse or core registration system. Another interesting development in the field of IAM solutions is that vendors of HR systems are adding an increasing number of self-service components. This allows managers to view data and implement changes themselves. Employees can consult information faster and more directly, including salary details, leave days, job descriptions and department info. This ensures that the data in the HR system is more complete, updated with greater speed, less polluted and of a higher quality. A third interesting trend in the area of IAM systems is that many organizations are reorganizing their job matrix (the number of job profiles). As a result of the more central role of the HR system, it is important to ensure harmonization of the job matrix. This means there should not be nearly as many job titles as there are employees, but rather a small set of job definitions and the matching cost center structure/company hierarchy. The primary interface between the HR system and IAM system is the (auto) provisioning component of Tools4ever s IAM solution. 2.4 PROVISIONING Tools4ever IAM s provisioning engine handles the exchange of identities among source and target systems. In this context, information is exchanged between the HR system and systems across the network or in the cloud. For this purpose, the engine closely communicates with the IAM components Workflow (for selections and data enrichment), Access Governance and Access Monitoring. The provision engine is made up of various different components to ensure a quick, flexible and reliable management of millions of identities. These components are the Identity Vault, Synchronization Mechanism and Connectors. 8

9 The Identity Vault comprises the central storage facility for the identities from all the connected systems. It contains identities, access privileges, relations and ID references to source and target systems. The Identity Vault is object-oriented, scalable and capable of managing millions of objects. Its powerful scheme management capabilities make it possible to easily cater for any wish or requirement concerning the exchange of attributes among systems. The Synchronization Mechanism handles the information exchange between the Identity Vault and the source and target systems. It also detects changes in the source and target systems and implements these in the Identity Vault. Any changes in the Vault are implemented in the source and target systems. All these processes take place via connectors. The Synchronization Mechanism is controlled by a rules database, which supports a host of functions: mapping rules, duplicate checking, transformation rules and looping detection rules. The Connectors handle the bidirectional translation of data in the Identity Vault and data in the source and target systems. Tools4ever has developed over 200 connectors and is capable of developing new connectors at lightning speed. The connectors form part of Tools4ever s support program. If the source systems or target systems are changed, Tools4ever will modify its connectors accordingly. Tools4ever offers default connectors for HR systems (Beaufort, AFAS, SAP HCM, PIMS, PeopleSoft), cloud applications (Google Apps, Office365, Salesforce), on-premises applications (SAP, Caress, Unit4Cura, TOPdesk), virtualized applications, (Exchange, Lotus Notes, Groupwise), databases, operating systems (OS400, Windows, Novell) and directories (Active Directory, edirectory, LDAP). 2.5 WORKFLOW AND SELF-SERVICE The Workflow & Self-service component offers employees an easy way to request changes and implement them in the IAM system via a web interface. Workflow & Self-service is used for information that cannot be automatically supplied from the HR system. The primary trigger for the frequent changes is the end user (the employee). For example, if an employee begins employment, many things need to be arranged to ensure the right access to resources such as (cloud) applications, systems, data and . The employee s manager plays an important role in this respect. The manager approves requests and requests facilities for his or her team. Depending on the type of request, other stakeholders, such as the license manager, security manager, facility and IT agents may be involved in the approval process. Upon approval, requests are processed into the IT infrastructure in an automated way through the Auto-provisioning component. The workflow component offers important advantages. Without it, it would be difficult to adequately keep track of who approved access privileges for a particular employee, and when (audit trail), among others. Using a workflow management system, it will always be clear who has approved what, and when. Tools4ever s Workflow & Self-service component features a 100% customizable Apple-like interface with a low threshold. The forms can be seamlessly integrated with existing self-service and/or extranet portals and are highly user-friendly. The forms offer an advanced delegation mechanism on the basis of forms and content. It is possible to make a form exclusively available to a select group of employees and further specify the choices that must be made (content) in a form, in accordance with the end user s role. To ensure a proper operation of the workflow system, it has been equipped with a range of practical features. For instance, managers can delegate common tasks to an assistant. When a task remains outstanding for too long, it will automatically be escalated. The same type of approvals can be handled in one go. Workflow routes can be easily modified. In case of bottlenecks, the workflow manager can distribute tickets among users in the workflow system. 9

10 The components of the self-service dashboard have the shape of a catalogue. It consists of items related to user accounts, but can also list facilities, such as phones, laptops, additional storage etc. The catalogue is dynamically built up out of underlying systems, like Active Directory, Exchange, the helpdesk system, the Facility Management system and the ERP system. If changes occur in the underlying system, the catalogue is automatically updated to reflect these changes. Workflow and Self-service components: Employee Dashboard with forms Access to applications and resources HR system - New employee - Termination of employment - Changes in role Approval routing Notification engine Initial request Reminders Escalations Managers WFM / Self Service Dashboard Approval form Confirmation Provisioning Network 10

11 2.6 ACCESS GOVERNANCE Access Governance is an important component of Tools4ever IAM. The aim of Identity & Access Governance (IAG) is to make sure that employees only have access to the network resources they need to perform their work. Over the past few years, IAG has taken on an increasing importance as a result of the tightening of laws and regulations (FISMA, HIPAA, SOX), the strong increase in the digitization of work processes and the increasing complexity of IT infrastructures. Traditionally, Access Governance primarily formed the domain of financial organizations and large multinational companies. Today, it has increasingly become a concern for healthcare organizations, mid-sized businesses (1,500-5,000 employees) and other commercial organizations. The Board of Directors, the management and security managers want and need to have control over who has access to what. A main issue is that manually mapping out the rights structure for the organization involves a highly complex, timeconsuming and exhaustive process. In many cases, ongoing control of this rights structure is unfeasible. Many organizations find themselves in an initial stage of Access Governance and lack the required approach and software. Rights are assigned on the basis of copy users ( Suzie will be performing the same activities as Marianne ), template users (available on an organizational or department level), spreadsheets and small proprietary applications. Tools4ever s IAM suite offers Access Governance in the shape of a phased approach and various software modules. From the outset, Access Governance offers organizations a professional platform that allows them to manage rights in a controlled way. 11

12 The diagram below provides a schematic overview of the approach and modules of Tools4ever Access Governance Role analysis Collect, analyze, correlate Role design Active role management Network 12

13 2.6.1 ROLE ANALYSIS: COLLECT, CORRELATE AND ANALYZE The starting point of Access Governance is to map out the current status of rights structures and the information that is available on them. The current status can be determined through: u Templates, existing processes: The creation of an inventory of the manual processes used by IT and application managers to issue and manage access privileges. This may involve copy users, template users, manual procedures and/or customized systems with an underlying SQL database. u Inventory Information that is known to managers can often be utilized. Sometimes a (partial) discovery is performed in which the access privileges are determined for each department/job title/role. This results in a security matrix. In many cases, the compilation of this matrix will have been a labor-intensive and time-consuming process, but the information will often still be incomplete or outdated. u Role mining: Retrieving and federating information from the HR system (that is leading for the job matrix and organizational roles of employees) as well as the access rights that have been issued for the involved systems (ERP, Active Directory, Exchange, Sharepoint and data storage/shares). This last method is frequently referred to as bottom-up role design or role mining. The roles are derived from the current set-up of the IT infrastructure. Through its Access Governance component, Tools4ever supports various techniques for collecting and recording information on access privileges. Tools4ever offers a uniform storage method that makes it possible for users to correlate identities and the matching access privileges. For many organizations, this would normally present a bottleneck, as this type of information is stored in multiple systems under different IDs and in diverse formats. Harmonization and analysis require a single unique ID per identity. After the data is harmonized, it will be possible to present the cleaned-up access rights to the various department managers and to have the rights reviewed (attestation). It is not uncommon that 25% of the access privilege data has been polluted. Tools4ever also offers simulation software that makes it possible to measure which access privileges are actually used across various systems (Data storage/ntfs and Active Directory) during a particular period ROLE DESIGN During this step, the information on access privileges previously compiled is converted into a role model and accommodated in a role catalogue. The translation of system privileges into company roles makes it a lot easier for the responsible managers to evaluate access privileges and assign them to employees. This is an important step which forms the basis for the Access Governance model. After defining the basic role model, it should also be determined which specific compliance and auditing rules apply (policy model). When roles are assigned to employees, these rules should not be violated, or in any case not without providing suitable motivation. Examples include Separation of Duties (SoD), financial transactions above 50K that must be approved by a minimum of two employees and disallowing remote access to financial information. Finally, it should be indicated which resources contain sensitive information and what the risk factor is. During the assignment of roles and the evaluation of assigned roles this will make it easier for managers to decide which employees have access to sensitive information (risk model). 13

14 2.6.3 ACTIVE ROLE MANAGEMENT During this step, the compiled and cleaned-up role model is taken into production in Tools4ever IAM and actively applied to employees who enter service or are promoted. The roles and underlying system roles are applied to applications and the IT infrastructure with the help of Tools4ever s provisioning module. The input for the changes is received via the following channels: u The HR system: When the labor contract for a new employee is entered, it will be clear which role or function he or she will fulfill. Promotions and changes in department or location are also implemented in the HR system and detected. The correct access privileges are assigned using the role model. If a change occurs, the access privileges will remain valid for a predefined period and subsequently automatically removed. This prevents the accumulation of excess rights. u Workflow Management and Self-service (WFM/SS): Usually the default access privileges obtained through the HR system are sufficient for employees to commence work for an initial period. However, it may so happen that employees are assigned additional tasks by their manager, so that they require additional network resources (access to applications and data/network shares). Using Workflow Management & Self-service, managers can request additional access privileges themselves (within the scope of their responsibility). It is also possible to have employees request additional privileges by means of self-service options for their managers to approve. This model is also referred to as Claim Based Access Control (CBAC). u Attestation and Reconciliation: The daily operational input is supplied through the HR system and WFM/SS, as described under 1 and 2. To verify whether the model is still valid and matches the actual network situation, Access Governance provides support for Attestation and Reconciliation. Attestation is used to periodically present managers with an overview of access privileges for all employees who fall under their responsibility. Via a web interface, they can easily verify and approve access rights and/or implemented changes. The changes that have been implemented by the manager are presented to the owner of the role model and may or may not result in a modification of the roles. Reconciliation is used to verify whether the applied network privileges match the information in the role model in IAM s Identify Vault. If there are deviations, this will mean someone has directly implemented network changes by circumventing the Tools4ever IAM system. Tools4ever IAM makes it possible to detect these types of changes and present them to the responsible owner. The latter will be offered a choice of three options: making the change permanent for one or more users (including a modification of the relevant role), allowing the change for a particular period or rolling back the change in the target system. All actions and modifications in Tools4ever IAM are stored in a central location. A reporting system is available so users can generate any report they require. For compliance and auditing purposes, it is important, among other things, to be able to report who has access to what and who has provided approval for this. For this type of report, the system retrieves information from the IDM Vault (who has access to what?), various infrastructure components (is the actual access in accordance with the Identify Vault?), and the workflow management system (who provided access privileges, and when?). Since the role model and the IDM Vault record every change as a new version, it is also possible to report on historic privileges and decisions. 14

15 2.7 AUTHENTICATION To gain access to the various components of a hybrid IT infrastructure (cloud, applications, datacenter, Active Directory), employees are required to identify themselves. In this framework, it is important to verify whether employees are who they claim to be. The authentication process checks whether the proof of identify that the user provided matches the available data. Up to this day, the most common authentication method remains the use of a combination of user name and password. An emerging trend is to use alternative methods that require users to provide an additional physical proof of identity in the shape of a smartcard, mobile phone, token or NFC. Authentication by way of a physical proof of identity in combination with a PIN code is referred to as two-factor authentication: employees have to divulge something they know (a PIN code), as well as present a physical item. Another trend is the possibility of authentication from random locations. Traditionally, authentication was managed from within the organization through a managed PC, user name, password and Active Directory. Nowadays, employees increasingly need to access the organization s IT infrastructure from any location (the office, home, hotels and airports), with any type of device (a laptop, tablet or smartphone). Another new development is that organizations offer their staff a centralized portal that gives them access to all web-based applications. Employees must authenticate themselves once to gain access to the portal, e.g. by having their credentials matched against Active Directory or an LDAP store. Subsequently, they no longer have to verify their identity each time they launch an application or service. This is also referred to as portal SSO. The authentication management solutions that form part of Tools4ever s IAM suite help organizations tackle all the various authentication issues. Tools4ever also firmly addresses emerging trends such as two-factor authentication and portal SSO. Conversely, Tools4ever also supports the classic form of authentication, namely combinations of user names and passwords. For this classical type of authentication, Tools4ever offers password management solutions such as: u Self-service password reset: This solution allows users to reset their passwords directly from the Windows login screen and without the intervention of the helpdesk. Users can identify themselves by answering a number of personal questions (e.g. What is your mother s maiden name ), to which they have previously recorded the answer. u Single Sign On (SSO): With this solution, users only have to authenticate themselves once by entering a user name and password. After a one-off login procedure, users will no longer have to repeatedly log in to all sorts of applications and systems. Tools4ever s SSO software provides support for all popular two-factor devices (smartcards, biometrics, tokens, grids etc.), cloud applications, Web and portal SSO, SAML, OpenId, ADFS and so on. In the healthcare sector, quick and easy access to systems is a first requirement. Care providers have to visit different locations (e.g. for patient visits) and log in to different systems dozens of times. Many care organizations invest in a virtualized thin-client infrastructure based, e.g. on Citrix XenApp XenDesktop. Tools4ever ensures that the last link in this process logging in using a user name and password is strongly simplified and replaced by logins using a smartcard. 15

16 u Password synchronization Tools4ever software solution makes it possible to synchronize passwords across various systems and applications. It offers native integration with Active Directory. If a password is modified, the changed password will be propagated in all the linked systems (synchronized). The advantage for end users is that they can gain access to different systems with the same password. u Password complexity This solution offers various options: A) With regard to password synchronization, it is important that the same password complexity is used across the various systems. This solution ensures that the Active Directory only accepts passwords which are also accepted by other systems. B) The introduction of complex passwords in Windows is associated with a low level of user convenience. Users do not have clear insight into the complexity rules that apply and are presented with unclear error messages. The Complexity Manager makes the complexity rules visible and ticks them as soon as the new password meets a complexity rule. 2.8 ACCESS MONITORING Many IAM systems focus on the administrative processes surrounding the management of user identities and access privileges across the network. What users actually do with the network privileges they have been assigned often remains unclear. Tools4ever IAM s Access Monitoring component offers organizations a solution for verifying and controlling what employees actually do. If an employee accesses a part of the network through a different, (non-authorized) channel other than the IAM system, this is immediately detected so (automated) action can be taken. Tools4ever offers numerous plug-ins for monitoring various subsystems on an event basis. Currently plug-ins are available for NTFS (the Windows file system) and Active Directory. The roadmap includes plug-ins for SQL server, Oracle and various ERP applications. The plug-ins provide a host of detailed information on actions that are performed in the subsystem. Examples of eventbased information include: who has accessed, moved or deleted which file at what time? Which shares have been accessed by a particular group of users? Besides event-based information, the plug-in indicates the current status: which employees have access to a particular share, which shares are accessible to a particular user and are there any redundant access privileges present in the file system? The information that the plug-ins collect can be directly linked to the data in the IAM system. If risky deviations are identified, the system can automatically intervene by sending a notification to a manager or revoking access privileges. Another scenario is to record the actually used access privileges for a period of 3 months. This information can then be used to design an authorization matrix or test a new design before it is implemented. Needless to say, the Access Monitoring component features a comprehensive set of audit reporting capabilities. 16

17 3. WHAT ARE THE DISTINGUISHING FEATURES OF TOOLS4EVER IAM? The IAM market is becoming more mature by the day, and all the market players are in agreement as to the features that Enterprise Identity & Access Management solutions should offer. Many vendors offer solutions that seem perfectly suitable during the selection phase, but spring various surprises during the implementation phase. All too often, implementations result in major disappointment; it turns out the implementation takes much more effort and longer lead times, while the envisaged results are not achieved. Tools4ever offers a unique and innovative enterprise IAM solution that prevents such disappointment. Tools4ever IAM allows organizations to get a grip on identity management and pass audits effortlessly. A step-by-step overview of the distinguishing features of Tools4ever s IAM solution is given below. 3.1 A PHASED IMPLEMENTATION METHOD During the implementation of an IAM solution, organizations go through various stages of maturity with regard to the professionalization of Identity Management. In this framework, the focus is certainly not only on IT (provisioning), but rather on the business processes (Workflow Management, Access Governance and Self-service). It is recommended to roll out the IAM solution step-by-step to ensure a manageable IAM implementation. Every time an implementation step has been successfully rolled out and met with acceptance across the organization, the next step can commence. Complex IAM steps that organizations need to take include setting up an Access Governance matrix, naming and harmonizing identities in various different target systems, making policy decisions concerning the set-up of the core registration system for identity management and introducing and rolling out a self-service portal. In our experience, Tools4ever will be able to implement every step with relatively little effort (a question of days and/or weeks). However, the integration in the organization usually takes 3 to 6 months for each step. Tools4ever s implementation method seamlessly connects with the step-by-step process described above and has proven its worth over the years. 3.2 A BROAD RANGE OF CONNECTORS A common pitfall for IAM implementations is that no links with source and target systems are available. In such a case, a tailored link will be created by the IAM provider s implementation partner. The development of this link is time-consuming. It is not performed by a 100% expert party and the management, support and customization are often points of concern. Tools4ever is highly skilled in the development of IAM-related links; it has already realized hundreds. All links (connectors) form part of the IAM software and are immediately available. All future modifications of the connectors are covered by the support contract and automatically made available by Tools4ever. If a required link is unavailable, an intake procedure is performed, after which a connector is developed that will form a default component of the Tools4ever IAM solution. Besides the non-standard connectors, Tools4ever IAM can provide support for any imaginable interface method that may occur in IAM implementations. Standard interface methods are SOAP XML, OpenId, OAuth 2.0, SAML 2, WS-Trust 1.3 and 1.4, SPML, ODBC, native Oracle, Progress, SQL Server and CSV. 17

18 3.3 AN END-TO-END PORTFOLIO Tools4ever s enterprise-class IAM suite covers all the components that, according to Gartner (Magic Quadrant for User Administration & Provisioning and Magic Quadrant for Identity and Access Governance), should form part of an IAM solution. With Tools4ever, organizations do not have to evaluate and select various subcomponents of IAM, and neither do they have to worry about integration (im)possibilities. All the software has been developed by Tools4ever from scratch rather than acquired through mergers and acquisitions and integrated later. Over the last years, this has become a growing trend with IAM vendors, so that integration and overlap/gaps in functionality become major concerns. 3.4 SCALABILITY The Tools4ever IAM solution is suitable for very large organizations that need to manage millions of identities as well as for small and medium-sized businesses with 300 employees or more. The IAM suite contains various components that provide convenient support for small to large organizations. An example is the method used for synchronization between a source and target system. Many IAM solutions require the implementation of an Identity Vault. For small organizations, this creates unnecessary overhead; in their case a one-on-one direct synchronization process (without ID Vault) between a source and target system is a much more practical solution. 18

19 CONCLUSION Tools4ever boasts more than 10 years of experience in the fast growing Identity & Access Management market and an impressive track record. Its IAM product portfolio is more than complete and covers all the areas that Gartner touches on in its reports on this topic. Tools4ever sets itself apart from competitors like NetIQ/Novell, Oracle, Microsoft and SailPoint, through its flexibility, proactive attitude and its strong innovative power. Tools4ever has offices across the globe. This allows it to provide customers with outstanding local support and optimally cater for specific local laws and regulations. Over the years, Tools4ever has perfected its professional service provision. Its state-of-the-art software solutions, phased implementation method and highly experienced implementation consultants allow Tools4ever to deliver successful turnkey IAM implementations in just a few weeks rather than months or years, as is common in the IAM market. What s more, Tools4ever applies a sharp price policy. The combination of a proven track record, a successful implementation approach and highly competitive prices makes Tools4ever a supplier that is certainly worth including in any evaluation of IAM solutions. 19

20 Eastern U.S. 300 Merrick Road, Suite 310 Lynbrook, New York T F Information nainfo@tools4ever.com Sales nasales@tools4ever.com Support support@tools4ever.com Western & Central U.S. PO Box 8200 Bonney Lake, Washington T F Information nwsales@tools4ever.com Sales nwsales@tools4ever.com Support support@tools4ever.com