Tivoli Identity Manager Giveth and Taketh Away

IBM’s new product automates provisioning user privileges across distributed environments

When IBM purchased cross-platform identity management specialist Access360 in September 2002, most industry watchers pronounced the deal a home run.

Writing in a report for consultancy Illuminata, for example, analysts James Governor and Dianne McAdam noted that Access360’s enRole identity management software—which IBM said would be folded into its Tivoli Software Group and re-branded Tivoli Identity Manager (TIM)— “fills a major hole in the Tivoli portfolio” for IBM.

That hole is identity management, or—as Jeff Drake, director of IBM’s Tivoli security strategy, puts it—so-called “enterprise provisioning,” a concept that describes the automated process of configuring systems and resources for access by employees and business partners. Implicit within the notion of enterprise provisioning, Drake explains, is an attendant notion of de-allocation: removing access privileges for employees or business partners after they’ve retired resigned, or been terminated.

IT organizations typically have enough trouble addressing the first phase of enterprise provisioning—allocation—Drake indicates, but when it comes to phase two—de-allocation—they almost always drop the ball. “When employees leave, when companies attempt to manage [de-allocation] manually, it’s almost impossible to go out and find where these things were and remove them.”

In Drake’s experience—he came to IBM from Access360, where he was an executive vice-president—approximately 40 percent of user privileges in many large enterprises have been “orphaned” by employees or business partners who are no longer affiliated with an organization. This sets the stage for any number of potentially disastrous scenarios, he warns. “In the world of identity theft, companies realize that when it comes to a security risk, the most insecure part of the enterprise is [in situations where] it’s a valid user, because they understand the systems and they understand where the data is.”

A product such as TIM reduces the risk of such attacks, Drake says, by automating the process whereby privileges are provisioned in a distributed environment. First of all, TIM will obtain an organization’s up-to-date employee information by tapping into its HR databases and business partner directories. This gives it what Drake calls an “immediate feed” into the hiring, firing, or movement of employees. “TIM… automates the process so that when that user is added into the HR system, an automatic feed is sent to TIM, and TIM goes out and configures that user with all of the access that they need.”

TIM supports a wide variety of packaged HR applications straight out of the box, but for companies that run custom or proprietary systems, Big Blue provides a toolkit that facilitates integration with TIM. “We can connect to any data repository, and they’re generally unique, and people use the data in different ways. But the result is the same: When someone new is added, we get an immediate feed, when someone leaves, we get an immediate feed.”

Drake says TIM itself is capable of integrating with any LDAP repository or any database. “We can basically connect to any type of system, any type of LDAP repository, any database. And then all of the popular systems and applications you might be able to dream of.”

All told, TIM supports dozens of common applications and operating systems, Drake says. Moreover, he adds, IBM releases new TIM agents every month.

In late December, Big Blue formally closed the books on its acquisition of Access360 when it released TIM 4.4. IBM initially shipped a 4.3 release of TIM in October, but Drake says that TIM 4.4 marks the full integration of Access360’s enRole identity management software with key IBM middleware—such as WebSphere—and other IBM software.

Even though enRole has now been re-branded as an IBM product, Drake says that it will continue to support and integrate with third-party products—even those from IBM competitors. “It still supports the BEA application servers, it still supports other LDAP repositories [that compete with IBM’s Directory Server], it still supports [the applications] that it did in the past, and we’re releasing agents for new systems very, very rapidly.”

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.