All organizations need to manage identities, credentials, and resources. Some lucky organizations only have to deal with one directory, but most have to deal with multiple directory trees and application-specific identity sources. The IT department in those organizations are expected to deliver this management efficiently, cost effectively, and securely. When this management goes bad, IT departments can lose the ability to be agile, and custom solutions created to manage identities can inhibit their ability to adapt to business change efficiently. These solutions may require manual intervention, and the results are inevitably higher costs all around.
What is needed is a comprehensive identity and access management solution. One that can both integrate certificate and smart card management with the traditional identity management lifecycle, while bringing a level of self-service management to users. Microsoft Forefront Identity Manager 2010 (FIM) is a component of Microsoft’s Identity & Access Management solution that brings powerful capabilities, administrative tools, and enhanced automation to organizations that help them efficiently manage identities
FIM is not the first identity management product from Microsoft. FIM has evolved from Microsoft Identity Lifecycle Manager (ILM) 2007, which was previously Microsoft Identity Integration Server (MIIS) 2003, which originated from Microsoft Metadirectory Services (MMS). These products provide two stable engines for delivering the core services of FIM. These engines deliver core provisioning and synchronization services between different systems, as well as certificate and smart card management. FIM then builds on previous releases by wrapping these core services in a rich management environment, including workflows and self service capabilities for end users, making it easier for IT Administrators to manage the identity management lifecycle and enabling them to delegate some tasks to end users.
How does FIM make identity management easier? FIM 2010 provides the ability to manage multiple credentials in an integrated manner. IT Administrators have centralized management tools where they can view and define policies, such as defining smart card templates and processes for resetting PINs.
Today, IT Administrators often spend time adding people to groups, removing people from groups – if they are ever told access is no longer needed -, creating and managing accounts, or at least trying to. When a new hire arrives at a company it can turn into a departmental sweepstakes – “Guess the date when Joe will have access to our systems?” When you think about your organization, think of all the accounts you have. You have an network account, then you almost certainly have an email account, which is also almost certainly a member of a number of distribution groups, an account in the finance system so you get paid, and an account in a customer relationship system. Then there are the file shares and web sites internally you have access too. Finally, like me, you may have a building access card that may be a smart card with certificates on. All of these have to be created, authorized, and issued. This is what FIM does, or moreover, this is what FIM enables the IT Administrators to do more efficiently.
When new hire “Joe” starts, he may well go through some new employee orientation, and at that point the HR representative could add or approve “Joe” in their system. “Joe” now officially exists. In the background FIM has seen this change because of the policies defined by the Administrators. FIM now starts the enrolment process, a network access account is created, a corresponding email account is created, requests for certificates are generated, and requests are sent to the appropriate people to authorize the creation of accounts in the CRM system or the finance system. At every stage, the policy and workflow dictates who gets notified to authorize the change. So when “Joe” gets to the security office to have his picture taken and added to his access card, the card can be loaded with the right certificates and “Joe” can walk into his new department all ready to go.
This isn’t a one way process, if “Joe” leaves, when his final salary is paid, FIM can reverse all these changes, certificates can be revoked and accounts disabled, etc. FIM also provides the IT Administrators the ability to delegate certain information management tasks to users. Now during “Joe’s” employment, he can self-manage some of his own identity information; for example mobile phone number, as well as reset his password or smart card PIN. Tasks like password or PIN reset, in estimates, can cost around $35 per requests, which can quickly accumulate over the course of a year.
FIM allows IT Administrators to spend more time managing their systems security, and less time managing people’s identity. In the next part we will look at the self-service capabilities in FIM and how access management of resources can be delegated to the end users.
Videos / Webcasts
Datasheets and downloads