Identity and Access Management Decision, Analysis and Resolution (DAR) for an enterprise wide identity and access management program for Arizona Department of Education Objective evaluation of multiple identity and access management systems that are being used in the industry November 10, 2011

ADE Needs Situation Open audit findings related to user access security (Common Logon) Highly manual and often inconsistent process for user provisioning The burden of complexity on IT, which must manage identities across heterogeneous systems High help-desk costs associated with password resets and support.

Identity Challenges Loss of end-user productivity because users cannot manage the routine aspects of their own identity and access Lengthy development time for identity management customization because existing developer interfaces require specialized knowledge Security gaps and risk to the business due to noncompliance with internal and external regulations

Maintenance Challenges Managing identities across systems Costly Time-consuming Costs and time grows exponentially as Number and types of users increase Number of services and systems grow Complexity of systems and applications increase Regulatory demands increase

Proposed Solution Secure Remote Access Well-managed Identity SSO and Federation Provide well-managed, common identity infrastructure Enable interoperable access across networks Authentication and authorization Built on Active Directory

Evaluation Approach The team established guidelines to determine which issues should be subjected to a formal evaluation process, then applied a formal evaluation process to these findings establishing the criteria for evaluating alternatives identifying alternative solutions selecting methods for evaluating alternatives evaluating the alternative solutions using established criteria and methods selecting recommended solutions from the alternatives based on the evaluation criteria

System Criteria Evaluation criteria provided the basis for evaluating alternative solutions. The criteria was ranked so the highest ranked criteria exerted the most influence on the evaluation. Ability to integrate with current user base on Active Directory Flexibility and long-term support Ease of deployment

Identity and Access Management tools Three identity access management tools were shortlisted to evaluate ADE needs Microsoft Forefront Identity Manager (FIM) 2010 Computer Associates Identity Manager (CAIM) Oracle Identity Manager (OIM) 11g

Gartner Report Gartner Research Report: 2010 magic Quadrant for User Provisioning Leaders Oracle CA Technologies Challengers Microsoft

Deployment Microsoft FIM is an Identity Management system based on existing Microsoft software platform. It is a comprehensive solution for managing identities, credentials, and identity-based access policies across heterogeneous environments. Computer Associates Identity Manager provides out-of- the-box connectors for Active Directory. Oracle Identity Manager 11g is a highly flexible and scalable system built on Java EE architecture. It leverages Oracle Metadata Services (MDS) for a reduction in customizations and provides a simplified development, configuration and deployment.

Integration with Active Directory FIM offers a fully integrated BI solution for operational analytics and dashboard CAIM core competency is to integrate with Active Directory OIM supports LDAP identity repository and web services exist for Active Directory integration

Flexibility FIM has an advantage of leveraging the Microsoft stack of products CAIM is easily integrated with Microsoft products OIM is built on open architecture to integrate with existing software and middleware

Road map FIM upgrades versions every years, with service packs between releases CAIM does not have a clear road map for upgrades or long-term strategy OIM upgrades versions every 3-5 years, with service pack between releases

Cost FIM is the least expensive at $ 4,319 server license cost with unlimited external users CA Technologies proposed a suite of products to be implemented over 2 years $ per user license costs based on 4,000 users for $209,000 total CA installation costs of $ 624,000 (recommended) $ 41,800 Annual maintenance starting year 3 Oracle IM suite is a total licensing cost of $326,600 Internal User license $ 95 each (minimum of 2,000) External User license $ 12 each (minimum of 5,000) Processor licensing - $ 85,800 each (2 required)

Maintenance All the Enterprise Resource Planning (ERP) systems have an annual software maintenance fees in the range of 18-25% of its original software costs Annual maintenance covers software updates as well as new version releases Maintenance is included in the forecast for next seven to ten years of a typical software life cycle

Resolution FIM is the best option for ADE. It has a defined road map as well as excellent interface to the Microsoft software platform. It is the most cost effective product. CAIM has fewer features and is the most basic system reviewed. OIM is a strong product, but not as easily integrated into a Microsoft based environment. The overall licensing, support, and integration cost for Oracle make this the most expensive product reviewed.

Score (1-5) WeightingFIM Weighted ScoreCA Weighted ScoreOracle Weighted Score Decision SupportComments Integration How well will it fit into our current environment? Flexibility Scalability and functionality. Deployment How quickly and easily can we deploy? Road Map Future enhancements and product updates. TOTAL18TOTAL77TOTAL54TOTAL63 Costs Pricing/hours Pricing base on per user license and module cost, if applicable TOTAL4 20TOTAL8 12 Resource / Skill Set Availability Technical expertise Resource availability (Local vs. Non-local) TOTAL5 20TOTAL15TOTAL10 Suitability Rating Ranking * Supporting Documentation located on Team SharePoint site Weighted Criteria Matrix

FIM Solution Key Benefits Empowers people to accomplish self-service identity tasks Delivers agility through automation, self- service, and extensibility Increases security with management across identities, credentials, and resources Introduces "codeless provisioning, allowing changes to be rapidly implemented without reprogramming solutions

Recommendation Base on the Assessment Matrix, Microsoft FIM is the recommended solution for ADE Identity and Access Management solution. Microsoft FIM would provide the core applications needed as well as strong interface into the other Microsoft products currently used in the Department. The overall licensing and implementation costs are also the lowest. CAIM would more easily fit into our environment, but it has fewer features at a significantly higher cost that the other products. Oracle IM would provide a suitable core application, but would require significant integration for network services and have high impact to the current environment. The Department does not have the resource skill set and a new team would need to be engaged for deployment and on- going support.