Identity & Access Management

Transcription

1 Written by Alan Rodger, June 2004 TA000562IAM Technology Infrastructure Butler Group Subscription Services Identity & Access Management TECHNOLOGY AUDIT Open Systems Management (OSM) COSuser v2.3 Abstract COSuser provides user management and provisioning for users of UNIX-, Linux-, and Microsoft Windows-based infrastructures. It extends its centralised management of the organisational user population s structure, and access rights, to Microsoft Windows Server-based assets via its own agent technology and strong integration with Microsoft Identity Integration Server 2003 (MIIS), and allows assets from other types of environment to be managed, either via additional standard software or minor customisation. Butler Group sees identity and access management as a critical element of organisational capability that can bring wide-ranging benefits and protection against threats: providing powerful management facilities of this type to UNIX and Linux environments, in which these requirements are often poorly served, COSuser is a valuable tool for organisations with infrastructures that include these platforms, especially if integration with Microsoft Server-based assets is also a benefit. The assessment that is available from OSM for potential customers, as part of its Rapid User Management Analysis, provides an opportunity for evaluation of COSuser s benefits. KEY FINDINGS Provides powerful user management for UNIX and Linux environments. Customisation can also allow assets in other types of environment to be managed. Extends value to Microsoft Server-based infrastructure via MIIS. Key: Product Strength Product Weakness Point of Information LOOK AHEAD OSM intends to include TKB Wizard with COSuser as a usable tool for its customers, so that their own environments and assets can be managed by COSuser.

2 FUNCTIONALITY Product Analysis Product Operation COSuser is a user provisioning solution for mid- to large-sized users of distributed systems with UNIX or Linux infrastructures. The product extends its value by integrating with Microsoft s identity management infrastructure via MIIS, thereby enabling the unified management of identity and access across UNIX-, Linux-, and Windows-based applications and systems. It will also provision user information on Windows systems without MIIS being present. It provides organisations with centralised user administration, password synchronisation, password policy control, and browser-based workflow, as well as significantly enhancing the management of user accounts that is normally available on UNIX and Linux systems. User administration is role-based, implementing the individual s organisational responsibilities as access rights to applications, databases, directories, and operating systems. The organisational structure can be flexibly represented by hierarchical role definitions. Changes to the user s access to disparate infrastructure elements can be made centrally, and propagated to the affected systems. This automates the transfer of information through the organisation s IT infrastructure, saving time and cost, as well as increasing efficiency by avoiding duplication of effort, and potential error, in reflecting the changes throughout the infrastructure. A user making a password change in one place can have that password propagated to all applications to which access is authorised. Implementing Single Sign-On (SSO), this benefits individuals by allowing use of a single, selfchosen password that can be easy to remember, and benefits the organisation by reducing incidences of forgotten passwords leading to help desk calls. At the same time, password strength can be increased by COSuser s implementation of password policy, which can also enforce the frequency of password redundancy (so that passwords are changed often) and implement safeguards against password compromise in the case of passwords being reused, or easily guessed. The mechanisms provided by COSuser for dealing with forgotten passwords include challenge/response within the workflows, thereby implementing the checks and balances inherent within customary help desk processes without incurring the costs of human involvement. A Web browser-based workflow engine is linked through to the software to provide self-service for end-users to request new accounts, passwords, or access rights. Such requests can be routed automatically to the appropriate line managers for authorisation, using the role definition structure that has been defined, before the changes become effective within IT systems. The automation of these various processes enfranchises the end-user, and can significantly improve the image and value of services offered by the IT department, as well as enabling real benefits to be gained by the reduction of help desk use. The platforms and applications managed by COSuser are seen as a domain known as the COSuser Enterprise (see Figure 1). The deployment configuration of COSuser typically comprises one COSuser Master Server, and one COSuser FailOver Server. Additionally, every node for which management is undertaken must have a COSuser Agent residing either on that node or on the Master Server. Each managed node may, in turn, manage a number of other nodes for example, in a Microsoft Windows 2000 environment COSuser Agents might be installed only on the Active Directory Server(s) (ADS). 2

3 Figure 1: COSuser Architecture Any operating system, database management system, middleware or application that COSuser manages is referred to as a Target. In cases where many Targets run on a particular node, only a single Agent runs on that node. Each type of Target has its own, intrinsic access control mechanism for example, /etc/passwd for UNIX, Active Directory for Microsoft Windows Server environments, and Primary Domain Controller (PDC) for Microsoft Windows NT with which users of that Target need to be registered to have the requisite access to the Target s resources. In order to interact with a Target s access control mechanism, COSuser uses a Target Knowledge Base (TKB). A TKB consists of a plug-in to the Master Server, and a small component that resides on each managed Agent supporting that Target. The TKB enables COSuser to register users on each type of Target. The COSuser Master Server holds the central database of user account information, the policy engine (for defining roles, and templates), the transaction engine (which is a fully fledged job scheduler), an operations workflow scheduler, and the audit and reporting engine. It may optionally host the Web server, and Web browser-based workflow engine. OSM supplies TKBs for common Target resources, such as established operating system environments, databases, and applications. TKBs for other resources, such as in-house applications, can be developed rapidly by OSM or its partners using the TKB Wizard, which is also supplied to technically advanced customers during implementation projects. Scalability is addressed throughout the product. An example is the use of a transaction server so that not all user management transactions have to occur in real time. For transactions that are required to be committed in real time (e.g. password synchronisation) the transaction server can achieve this, while for other tasks (e.g. registering a new user) system updates can be deferred until quiet time on the target systems, in order that the resource-intensive operations involved in user registration do not degrade performance of priority applications supported. 3 Butler Direct Limited Technology Infrastructure

4 Resilience is provided by COSuser s FailOver module, which caters for failover of the Master Server. It allows the end-user to be unaffected by failure, as downtime does not prevent user management activities and COSuser will later action the missed transactions. In order to limit the cost of the maintenance necessary for large user populations, the product s user administration is role-centric a user account is created only when a user is allocated one or more roles. COSuser can be configured so that any change made to a role is propagated instantly to all users currently assigned to that role. However, policy may be controlled for an individual user, server, application, or Target account, if required. COSuser provides powerful de-provisioning features, with which individual users can be deleted, disarmed, or disabled. Disarming a user has the effect of removing accesses available via all the accounts that are owned, but the user can be later recreated without any loss of the access rights that were available. Deleting a user deletes all the accounts and is not reversible. Disabling a user prevents the use of any owned accounts until re-enabled, and is useful as an immediate measure to block access. Product Emphasis The features used to control user access to target applications also control access to COSuser features, and therefore offer the same degree of flexibility in its use. Secure delegation of access rights is available with a high level of granularity, at the level of individual tasks, commands, or use of programs. COSuser records changes made to its data within audit logs, and incorporates a number of views and reports that allow interrogation of activity relating to accounts, users, and passwords. Organisations increasingly rely on business-critical applications that run on a mix of platform types, and may be distributed across the enterprise. The user population for such applications can also be widely distributed, with roles and locations that change frequently. The addition, deletion, or modification of user accounts across all platforms to keep pace with users changing requirements is a challenging business problem, and one that is critical in safeguarding security and integrity of access to enterprise systems and applications. Factors like increasing regulatory and legislative compliance pressures also magnify the need for proper control of user identity across the assets and infrastructure controlled by IT departments. Compared to other enterprise platforms, UNIX- and Linux-based systems are often poorly served by identity and access management facilities. Many organisations that use such systems suffer increased costs and risk due to this, and COSuser provides an answer to their significant problems in this area. DEPLOYMENT Implementation of COSuser requires technical expertise from OSM, and a degree of assistance with requirements relating to policy, and customisation of application interfaces, is typical. Large projects will normally include an element of process engineering, for which systems integrators are often used, particularly if the COSuser implementation is as part of an end-to-end identity management strategy. The time period required for implementation varies according to the size and complexity of the project. At small sites, with few systems or little variety of type of operating system, and where user information is already well defined, completions have been achieved in a few weeks large implementations with heterogeneous environments and major process changes can take 1-2 years to complete, although benefits are obtained progressively through the period. 4

5 As the first step in implementing large and complex user management projects, OSM ensures that specific user management requirements, existing processes, and organisational dynamics are thoroughly analysed before implementing any software. OSM has developed Rapid User Management Analysis (RUMA) as its methodology to integrate this objective with the implementation of COSuser. RUMA normally involves five stages: An initial interview, free of charge, to discuss problems with existing user management processes, such as security lapses, poor service levels and excessive operational costs. Metrics relating to a potential engagement are gathered, such as the size and nature of the user population, and the application and infrastructure profile. Business analysis, confirming the business drivers (e.g. improving efficiency, control, security, or service levels), and any scope limitations. Technical analysis to determine existing practices and problems, conducted with key staff members involved in user management. An interim report to senior management, identifying areas for potential improvement that would address existing problems and provide quick wins. Typically, this portrays a choice for management between automating and improving existing technology and processes, and maximising efficiency and productivity by adopting a COSuser solution. One action point from this stage is for senior management to identify the relative priorities of systems that might be linked to a COSuser solution, in order for the final RUMA stage to include estimates for building the solution. A complete report, including recommendations for process replacement or retention, incorporation of best practice (including take-on of existing user data), and stating formal objectives, plans, and costs in a proposal for an implementation project. Implementation can be undertaken in a horizontal manner (for example, by implementing on all UNIX servers first) or in a vertical fashion (e.g. implementing on all servers and applications required to facilitate the ERP system). After implementation, the resource commitment to COSuser is typically very low (one or more COSuser administrators are normally required), as the product automates a significant part of the workload of user management, and what cannot be automated is normally delegated via the COSuser operations workflow engine, or the Web browser-based workflow engine, to help desk or business users. OSM states that a positive Return On Investment (ROI) is achieved typically in a 12- to 18-month period. OSM provides a choice of levels of support: prime-time support is charged at 15% of the licence fee per year, and 24x7 support at 20% of licence fee per year. 24-hour support is provided using a transparent Follow the Sun mechanism, with help desks in the UK, US, and Australia logging problems to a centralised database. Training from OSM is either classroom-based or conducted on-site and is available as separate courses for Managers, Administrators, and Operators. The Master Server within COSuser can currently be deployed in the following environments: Sun Solaris, version 8 or 9. IBM AIX 5.1 or 5.2. Red Hat Linux Enterprise Server 2.1 or 3.0. A port to HP-UX 11i is planned. 5 Butler Direct Limited Technology Infrastructure

6 Agent software allows COSuser management to extend to all common varieties of UNIX, Linux, and Microsoft Windows server environments. For other environments, OSM can supply existing TKBs or write new ones at minimal cost. The COSuser client environment is available via X Windows on UNIX or Linux, on MS Windows, via a Web browser, or a command line interface (CLI). PRODUCT STRATEGY The target market for COSuser is large users of UNIX or Linux infrastructures, who would probably have Windows environments additionally, and who have a user population of 1,000 or more. COSuser provides significant extra functionality in the management of user accounts on UNIX and Linux systems, e.g. root shell auditing and access controls such management is critical in minimising risks arising from legislation, cyber-terrorism, and audit requirements. COSuser is sold directly, with some sales additionally arising from industry alliances with other ISVs (e.g. Microsoft, and Oblix, who are key technology partners) and systems integrators (e.g. CSC). Lockheed Martin, and Fujitsu Services are also OSM s preferred systems integrator partners. The licence cost is one time payment (perpetual) with a recurring annual maintenance and support cost. All elements of the software solution are included as standard, and an additional charge is made according to the number of user accounts being managed. Professional services are charged for implementation. There is no typical installation but OSM states that an average historical cost would be about US$250,000, of which 60% would be the cost of the software. Major releases are made available once per year, with patches of interim fixes or minor enhancements released more frequently. The next major release is planned for the second half of 2004, and annually thereafter. Butler Group considers OSM s strategy for COSuser to be excellent, particularly in its choice of Microsoft and Oblix as technology partners. Both have strong market presence (Microsoft s with MIIS and Active Directory, and Oblix with NetPoint) and each form strong parts of an identity and access management solution, but do not meet every organisational requirement for such a solution COSuser will form another vital piece of the jigsaw for customers. The combined user base of Microsoft and Oblix should provide numerous opportunities for COSuser s extension of the less advanced features that are natively offered within UNIX and Linux environments (which Butler Group expects to see in ubiquitous use across enterprise environments). COMPANY PROFILE OSM was established in 1988, and for a number of years undertook specialist services work with expertise in system administration on UNIX machines. As a number of assignments in such technical environments involved establishing centralised administration of users and their access rights, OSM recognised a market opportunity and took the step of developing a product to fulfil this need. Its headquarters are in Ascot in the UK, and it also has US offices for sales and support staff in Seattle and Baltimore, and also in Perth, in Western Australia (where part of the product development work is also undertaken). 6

7 The company is privately owned, with backing from 3i. 60% of its revenues are earned in the UK, 25% in the US, and 15% in other regions. Its forecast revenues in its current year are UK 4.3 million, and in prior years were as follows: Year (figures in UK million) Revenues Profit/(Loss) 0.4 (0.376) (0.551) Losses were incurred in 2001 and 2002 as OSM used its investment from 3i to build the COSuser product. Revenue history included sales of third-party products which have been progressively dropped as OSM focused on its own software. The company has approximately 40 employees, of whom the majority are based in the UK, and additionally uses contract workers. Of the employees, 14 work in research and development, 9 is sales or marketing, 11 in consultancy and support, and the remainder in finance and administration. The number of staff is expected to grow by 25% in the forthcoming 12 months. OSM states that it has 47 customers of COSuser and its previous incarnation, the COSadmin product, with the company s total customer base extending to over 1,000. The following are key COSuser customers: Lloyds TSB. Northumbrian Water. Procket Networks. Duke Energy. SUMMARY By enabling powerful management of user access rights in UNIX and Linux environments, COSuser has a distinct and valuable niche in the competitive market place of identity and access management products. With facilities for user administration, password synchronisation and policy control, and workflow that enables it to be integrated as a business process, COSuser significantly augments the management of user accounts that is available on standard UNIX and Linux systems. Offering integration with Microsoft s identity framework (via an integration module with MIIS) extends the value of the solution for the many organisations that operate heterogeneous IT infrastructures. COSuser s capabilities offer potential benefits of cost saving, increased efficiency, and widened management of identity and access that highly recommend it as a consideration for such organisations, in the mid- to large-sized sector, that are OSM s target market. 7 Butler Direct Limited Technology Infrastructure

8 CONTACT DETAILS Europe Open Systems Management Ltd Kings Ride Court Kings Ride Ascot, Berkshire SL5 7JR UK Tel: +44 (0) Fax: +44 (0) North America Open Systems Management, Inc Third Avenue Suite 905 Seattle WA USA Tel: Fax: Important Notice: About Butler Group: For more information on Butler Group s Subscription Services, contact: This report contains data and information up-to-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you. Butler Group is the premier European provider of Information Technology research, analysis, and advice. Founded in 1990 by Martin Butler, the Company is respected throughout the business world for the impartiality and incisiveness of its research and opinion. Butler Group provides a comprehensive portfolio of Research, Events, and Subscription Services, catering for the specialised needs of all levels of executive, from IT professionals to senior managers and board directors. Europa House, 184 Ferensway, Hull, East Yorkshire, HU1 3UT, UK Tel: +44 (0) Fax: +44 (0)