Microsoft’s Identity Life Cycle Management Story - Part 1: Microsoft's philosophy and vision

  • Article

Many of you may be aware that Microsoft has been a player in the Identity Management space for many years. Starting off with Microsoft Metadirectory Services, then moving on to the release of Microsoft Identity Integration Server 2003 and our current offering Identity Lifecycle Manager 2007.

What you may not be aware of is that Microsoft is about to revolutionize Identity Management with the release of Forefront Identity Manager (previously known as ILM “2”) in the first half of 2010. The marketing strap line for ILM “2” is that “Identity Management is about to get a whole lot easier” and having worked with ILM “2” (currently available as a Release Candidate) I’m very excited about this product and what it can do for both IT Pros and businesses.

So, for those of you who may not be familiar with Microsoft’s Identity management story I’m going to start with Microsoft's philosophy on Identity Lifecycle Management (ILM). Future articles will look at where we are today in terms of ILM 2007 and where we will be going to, with the much anticipated release of ILM "2". So let’s look at Microsoft's philosophy for ILM.

Microsoft’s Identity Management Strategy

Basically Microsoft's position on ILM comes down to the concept of a People Ready business. Identity and access is at the centre of the People Ready business:

clip_image002

To enable the people in your organisation to be successful, they need an efficient and intuitive way to collaborate. At the same time, the business needs to ensure that collaboration is taking place within the bounds of internal and external regulations, business policy and process, and security. At the centre of it all, is the identity and access infrastructure and tools that provides information on users, devices, they access, what credentials they need and how they are configured, and the rules or policies governing the behaviour of these objects. In order to realize the vision of a People Ready business, the identity and access infrastructure and tools need to provide people with the right collaboration experience, in a way that complies with business process.

How do we ensure that our identity and access infrastructure and tools are enabling this People Ready vision? By overcoming a number of challenges, such as....

1. Improving Operational Efficiency

  • On average employees need access to 16 applications and systems
  • Companies spend €25-30 per user per year for password resets

2. Reducing Security Risks

  • 38% of users recycle old passwords, 18% write them down

3. Meeting Regulation Requirements

  • Implementing business process and policies to meet internal regulations

4. Enabling Business Objectives

  • Improving connections with partners and customers
  • Driving business decisions closer to decision-makers

Today, the management burden is on IT

Today, we know that the burden of addressing these challenges is on IT. When you think about what identity management tasks IT today, they include a number of things that IT should be doing – such as deploying software, administering systems, ensuring systems under their control are secure and compliant. But often IT is also burdened with additional repetitive tasks such as managing end user requests such as password resets, creating and deleting user accounts in all the systems the end users need to do their jobs, and manually implementing, reporting on, and enforcing policies across these systems.

Meanwhile, end users are in a position where they are relying on IT for their requests. Wouldn’t it make more sense for users to have the tools to do some of this work themselves and remove the burden from IT as well as themselves?

Today identity and access management tasks are often being done by the wrong people, who are struggling with the complexity of existing systems and tools. In the end this means higher cost for the business:

clip_image004

Microsoft's Vision

Microsoft has a vision for putting the identity lifecycle back into balance by aligning experiences with the right people.

IT professionals should be focused on what they do best – architecture, deployment, administration, governance, and security

Information workers should have familiar tools to manage their own information, credentials, access, and resources they own. Information workers should have tools within the applications and systems they use every day.

Microsoft’s vision for this space is to provide an identity lifecycle management solution that spans across a breadth of Windows and non-Windows infrastructure, and delivers management of users, access, credentials, and policy from a single, integrated solution that is easy to configure and customize if needed:

clip_image006

Changing the Equation

Research from IDC, Gartner, and Microsoft shows that identity and access management software is only about 10% of the total amount that organisations spend. The rest of the identity and access management budget is spent on IT staff performing manual, repetitive tasks such as password reset and manual user provisioning and deprovisioning. What Microsoft wants to do is decrease the total amount your organisation spends on identity and access and enables IT staff to do work that is more strategic for the business. The result of this decreased spend is:

- Less spending on specialized infrastructure and tools to manage the complexity

- Higher end-user productivity from users who have the right tools at their fingertips

- IT staff focused more on business enablement than end user account, access, and credential related requests

- Lower spending on services since systems integration costs dramatically decrease

IDC recently completed a study comparing enterprise customers cost structures with these solutions in place. IDC found that customers can save

-€30 per PC per year with an automated user provisioning solution

-€70 per PC per year with a directory synchronization, password synchronization, and self-password reset solution

clip_image002[4]

Roadmap for getting there

Today we have a product in market called Microsoft Identity Lifecycle Manager (ILM) 2007, a solution that provides metadirectory and user provisioning capabilities and capabilities for managing strong credentials, providing an integrated approach that pulls together metadirectory, digital certificate and password management, and user provisioning across Windows and other enterprise systems.

In the 1st half of 2010, Microsoft plans to deliver Identity Lifecycle Manager ”2”, a comprehensive solution for managing user accounts, access via groups and roles, password and certificate-based credentials, and policies across Windows and heterogeneous environments. ILM “2” will extend the functionality of ILM 2007 with new capabilities that will (1) empower end users with integrated self-service tools in Office and Windows; (2) put IT in control through a robust delegation model and business process framework, and (3) increase operational efficiency by automating common identity lifecycle management tasks and empowering end users with self-help solutions.  In addition, Microsoft is implementing ILM “2” on a common set of services – including workflow, delegation, web services APIs – that customers and independent software vendors can use to customize and extend the functionality in ILM “2”.

clip_image004

So, there you have it. In the next article I'll have a look at ILM 2007, our current product which has been successfully deployed to many customers in Ireland. In the meantime you can find out more about ILM at the following links:

https://technet.microsoft.com/en-gb/ilm/default.aspx

https://www.microsoft.com/windowsserver/ilm2/default.mspx

Stay tuned for the next instalment!

   image   James McAlonan, Senior Infrastructure Consultant, Microsoft Consulting Services