When it comes to Windows security, identity management weighs heavily on the minds of IT managers and administrators. Microsoft's latest release aims to address those concerns with a focus on self-service capabilities and new automation tools.
The company announced the official release of Forefront Identity Manager 2010 at the RSA Conference 2010 in San Francisco last week. The software is the successor to Microsoft's Identity Lifecycle Manager (ILM) 2007. Formerly dubbed ILM "2", the product features a host of new self-service functionality designed to put more power in the hands of end users.
Don Retallack, an analyst with Kirkland, Wash.-based Directions on Microsoft, said the release is expected to cut down on help-desk tickets by allowing users to reset their own passwords, a feature that should take a lot of pressure off IT.
"Probably the No. 1 help-desk call is, 'How do I reset my password?' And not only for laptops, but for all systems [end users] use," Retallack said. "A thing like Forefront Identity Manager can help in those situations by setting up self-service portals and cutting down on calls to help desk."
This self-service password reset feature works via a portal running on Windows SharePoint Services. Users can access the portal to make a number of changes, with password updates being the most notable. The portal can even be accessed by users who are not logged in to their computers.
"The nice thing about [self-service password reset] is that in addition to being a SharePoint portal, it also has a bit of functionality that can hook into the Ctrl + Alt + Delete screen," said Laura E. Hunter, a Microsoft MVP for Directory Services and principal with LHA Consulting, Inc. out of Philadelphia. "That way, you can still log in to get to the portal, even if you can't log in to your computer."
Pricey password requests flood the help desk
Aside from the convenience afforded to all involved, giving users the ability to reset and update their own passwords offers some potential cost-saving benefits as well. A study by Gartner estimates that more than 30% of all help-desk calls are password-related, coming in at an average of $25 per ticket. Cutting down on those numbers could have a big effect on the bottom line, particularly for large enterprises.
"If you are normally looking at a cost [of $25 per help-desk call] in one quarter, then you release this feature the next, it's very easy for accountants to see the [return on investment] with the cost of deploying something like this," Hunter said. She added that depending on the size and setup of a particular company, the savings on help-desk calls alone could potentially pay for an entire implementation.
Forefront Identity Manager 2010 also features a slew of automation capabilities that tie in to the self-service portal. The software is built on what Microsoft calls a "rules engine" as a way of establishing user access based on individual roles. These rules can be set to meet each organization's needs.
Retallack used the example of a temporary employee who might put in a request for a parking pass. Since his role is listed as temporary in the Active Directory, the system might then automatically reject the request based on the rules put into effect by the company.
"Then, if human resources updated that employee's status to full-time … [Forefront Identity Manager] could automatically approve the request, without any further action from the end user or IT," he explained.
Other identity management suites
These enhancements add another element to Microsoft's identity and access management suite, which also includes Intelligence Application Gateway and various Active Directory services. Perry Carpenter, a research director with Gartner Inc., said that although it could be a while before Microsoft poses a serious challenge to more prominent identity management vendors like IBM, CA and Oracle, things seem to be heading in the right direction.
"Right now, even though [Forefront Identity Manager] can deal with a heterogeneous environment, it's still very Microsoft-centric, so it doesn't solve the entire password-reset problem," Carpenter said, noting that the list of systems Forefront can reach out to still doesn't compare well with that of other, more seasoned technologies.
Carpenter added that while Microsoft's direct competition currently includes products from Courion Corporation and Quest Software, the company could be in position to claim a bigger part of the identity management market at some point in the next few years.
"As [Forefront Identity Manager] matures and they continue to fill in the gaps involving more heterogeneous parts of the enterprise, it will get more adoption," he said. "People are going to be dipping their toes in this year and getting the feel for it, so you'll get some early adoption. Then, as more information comes out around using it in years two and three, it will have a pretty good knowledge base around it, and organizations will start seeing it as a much more seasoned product."
Forefront Identity Manager 2010 is listed at $15,000 per server, and a free trial is also available for download from the Microsoft website. Hunter noted that while much of the self-service functionality is available out-of-the-box, she also found the product to be very extensible, which could be appealing to organizations in need of a little more flexibility.
"Because it's all built on Web Services," she said, "if you can find someone who can code it, then you can probably find a way to do it."