IAM Product Review: CA Identity Manager

September 30, 2015 By

Ephrem is a senior consultant in Kalles Group’s cybersecurity and risk management practice.  He provides complex technical project leadership expertise and specializes in building enterprise IAM solutions for our clients.

Before I discuss any Identity Manager solution, I would like to talk about what Identity Management is, and, why it’s important.  Identity Management is a subset of Identity and Access Management (IAM) practice which falls under the bigger umbrella of IT Security.  It is a practice where enterprises implement and enforce a mechanism (technology & process) that enables them to have a full knowledge of all of their identities (logical and physical) as well as what each of these identities have access to within the organization.  In addition to staying secure, this knowledge also empowers enterprises to minimize and mitigate risk, as well as meet the various compliance requirements they might be obliged to comply with.

The tool(s) enterprises use to manage their identities and accesses to resources vary greatly from a home grown solution to a wide selection of third party packaged solutions.  Depending on the size of the enterprise in question, for major organizations, the home-grown IAM solution is becoming a less reasonable choice everyday.  This is mainly due to the overhead in maintaining and maturing a home-grown solution compared to the cost associated with getting a packaged solution and the automatic gains in industry standards and best practices.  Today, there are several packaged options out on the market for enterprises to evaluate and choose the IAM solution that best fits their needs.  Most of the prominent software companies have their hands on IAM solutions such as, Oracle, IBM, Microsoft, NetIQ, SAP, Sailpoint, RSA, and CA Technologies.  For the purpose of this article, I will provide my personal take on one of the IAM products by CA Technologies, CA Identity Manager. In their January 2015 edition, Gartner placed CA Technologies in “VISIONARIES” magic quadrant for their IAM products.

CA Identity Manager is one of the more robust tools in the IAM space that provides the capability and feature sets that most enterprises are looking for in managing identities and accounts through their life cycles.  User on-boarding, off-boarding, account provisioning, de-provisioning, password management, self-service, access request, approval workflows, and reporting are some of the common capabilities CA Identity Manager comes loaded with.  Despite the availability of these great functionalities, implementation of the solution is not necessarily an easy undertaking. Depending on the size of the scope, complexity of the requirements and the number of target systems to integrate with, CA Identity Manager implementation can take anywhere from six months to two years.  The challenge is further compounded if the enterprise is to rely fully on in-house talent that does not have prior implementation experience with the product.  Due to the breadth of the product features, complex, multi-layered solution architecture is required which results in a challenging and non-intuitive implementation process.

For those who would use it very carefully (I will come back to this point later), the complexity of CA Identity Manager implementation comes with a great benefit of being highly customize-able.  If the product does not offer the functionality one might be looking for straight out-of-the-box, CA Identity Manager provides interfaces, client tools and APIs allowing customers to custom develop a solution to fill in the gap.  For provisioning needs, CA Identity Manager comes with quite sizable number of out-of-the-box connectors to select from, such as Active Directory, SAP, Oracle Databases, and so on.  If there is an application for which CA Identity Manager does not have connector for, it provides a client tool, Connector Xpress, that helps with custom connector development.

Another incredible framework worthy of mentioning that CA Identity Manager offers is Policy Xpress, a platform that lets customers to write business logic within a web-based user interface without necessarily having a software programmer background.  However, this flexibility that the product offers can sometimes be a cause for defeating behaviors, hence why I mentioned “carefully” earlier.  It is not uncommon to see some organizations either completely avoid doing any custom work to aid the tool or get too excited about the flexibility and custom-do everything to a point where the tool is not recognizable.  As with everything else, it is a matter of finding the right balance; in my view CA Identity Manager offers too much flexibility to a point where unaware customers might trip themselves up by making it impossible for the vendor to continue to provide support.  However, many features such as the self-service functionalities, password reset and account unlock, and updating preferred phone number are much less complicated to implement.

CA Identity Manager also ships with a CA re-branded SAP BusinessObjects reporting engine to provide customers with reporting capability.  Empowering customers so they can report on their identities and define what each identity has access to is an invaluable benefit for both audit and compliance purposes.  CA Identity Manager comes with canned audit reports as well as relatively easy to configure snapshot-based reports.  I would conclude my thoughts by leaning more towards the love side of the love-hate relationship I have had with CA Identity Manager for the past few years.  Once all the implementation challenges are managed well and it is in place, CA Identity Manager is a very stable product with great support from the community as well vendor’s support team.  If it was a personal consumer product, I would have recommended it to a friend.