Manage Learn to apply best practices and optimize your operations.

Cutting the cost of Windows identity and access management

Are you spending too much time and money on identity and access management? Learn how to get around the limitations of Windows' native IAM tools and reduce overhead in the process.

What is identity management? For most of us, it means Active Directory management, while for many companies it also refers to other, non-Microsoft directories like local Unix systems, local Windows user accounts, SAP user accounts and much more.

I have consulting clients that spend as much as $120 per user to provision or change new and existing accounts. In a company of just 5,000 employees with 10% turnover and 40% change (promotions, transfers and so forth), that adds up to $300,000 per year.

Why so much? Part of the reason is that Windows as an operating system doesn't do a very good job of enabling us to manage identity and access. When it comes to identity, it's Active Directory or bust – and most companies have plenty of systems that simply don't integrate with Active Directory authentication. In those cases, every non-AD system adds more overhead to identity management, and by overhead, of course, I mean cost. This doesn't even take into account the fact that identity management is tedious, repetitive and error-prone.

Natively, Windows does an even poorer job with access management. Enterprises have numerous types of resources that need to be secured, including Exchange Server mailboxes, databases, files and folders, registry keys, background services and directory objects. In Windows, each of these is managed either through its own graphical dialog or one at a time via command-line tools. In other words, if the boss needs you to change permissions on a batch of files spread across several servers, then you'll have to spend some time poking around dialog boxes. Once again, this is a boring, error-prone task that is usually relegated to the "new guy" or an intern.

Worse, and more subtle, is the problem of "who needs access to what." Oftentimes an administrator is told to "just give them access to everything" because nobody can determine what access the person really needs. For another example, often they are told to "just give him or her whatever access Joe has," even though what Joe has access to is nearly impossible with the native tool set.

Ultimately, there are several problems here. One issue is access inventory, meaning the ability to quickly determine who has access to a resource or what resources a given principal has access to. Another problem is that we don't tend to manage permissions based on a person's role within the organization. Role-based management is effective because it groups resources by job position, so giving someone the access they need is as simple as dropping them into the proper role. It's possible to have role-based management with Active Directory groups, but in more complicated, multi-domain and multi-forest environments, it's not practical.

The last problem with identity and access management is one of change control. In Windows, administrators can change anything – they're administrators, after all, and that's their job. From a business perspective, though, that capability is overreaching. Businesses don't want changes to identities and access controls to occur until such changes have been reviewed and approved. Windows offers no such built-in mechanism for this, which makes it difficult for companies to enforce compliance with management frameworks like ITIL, COBIT and so forth.

So what's the answer? Microsoft's Identity Lifecycle Manager (ILM) provides part of it, as the product helps integrate non-AD directories with AD. Essentially, it allows you to manage identities in Active Directory or ILM, and it synchronizes those identities with other directories.

Keep in mind that sync isn't a maintenance-free or hassle-free science, so it's still beneficial to reduce directories whenever possible. For example, you might use add-on tools that allow Unix systems to integrate directly to Active Directory, eliminating the need for a dedicated Unix directory and sync point; such tools are offered by companies like Quest Software and Centrify.

Identity Lifecycle Manager 2 is currently in Release Candidate status and was recently renamed Forefront Identity Manager (FIM) 2010, the third or fourth moniker it has carried since Microsoft bought it from Zoomit Corp. The new version offers change control and self-service options to identity management. This is a significant upgrade, and is a strong reason to consider ILM – sorry, FIM – even if you don't have multiple directories.

The product does carry a hefty price tag, however, so part of your due diligence should include investigating solutions from third-parties like Attachmate or Quest Software. Third-party products can, in some environments, stand in for Forefront Identity Manager, providing change control and directory sync (albeit to a smaller list of non-AD directories). They can also complement FIM in larger environments.

In addition, third-party products have the higher-end access control you'll need to reduce costs, especially if you're subject to legislative or industry requirements like HIPAA, SOX, GLB, PCI and so forth. These access control systems incorporate change control workflow, permission inventories and role-based management. In conjunction with a more automated identity management system (or if the solution does that, too), these tools can help drastically reduce the overhead spent in identity and access management (IAM).

The time and money you spend on IAM is often difficult to perceive unless you have really good workload tracking in your organization. If you think your company doesn't spend much time on identity and access management, then one of two things is true: either you're not managing IAM properly, or you're wrong in your assessment of how much time it's taking.

The unfortunate fact is that Windows' native IAM capabilities are usually insufficient for all but the smallest, Microsoft-only shops. Additional tools are needed to provide automated and change-controlled IAM, inventory permissions and reporting, and role-based access management. I recommend that you consider Identity Lifecycle Manager or its successor FIM and investigate third-party tools that help fill this important, high-overhead gap in the native toolset.

Don Jones is a co-founder of Concentrated Technology LLC, the author of more than 30 IT books and a speaker at technical conferences worldwide. Contact him through his website at

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.