Microsoft's Identity Life Cycle Management Strategy And Roadmap Part 2: ILM 2007
This is the second post in this series. In the first one I talked about Microsoft's philosophy and vision for Identity Management. In this post I'll look at our current offering, Identity Lifecycle Manager 2007
Identity Lifecycle Manager 2007 brings together metadirectory, certificate management, and user provisioning across Windows and enterprise systems into a single packaged offering.
Lets talk about each of these capabilities briefly.
-With the metadirectory capabilities in ILM 2007, you can have a single view of the user across all your enterprise systems. ILM 2007 keeps this view consistent across all of the connected systems.
-The certificate management functionality in ILM 2007 enables you to dramatically reduce the cost of deploying and managing certificates and smart cards. ILM 2007 automates the process of issuing and revoking certificates based on workflow, so approvals and notifications are integrated into the solution.
-ILM 2007 provides a solution for provisioning and deprovisioning users. With ILM 2007 you can provision a user’s accounts, synchronize their passwords, and manage their certificates through the same process.
Now lets drill into each of these features a bit more:
ILM 2007 Metadirectory Services
ILM 2007 metadirectory services provides a solution that synchronises identity information from all the connected identity stores. ILM 2007 includes over 30 different types connectors, or management agents, out of the box so you can connect to the leading directory services, email systems, databases, mainframe systems and line of business applications. For other systems ILM 2007 provides an extensible management agent that you can use to build custom connectors for your legacy infrastructure and applications.
One of the strong points of the ILM 2007 metadirectory is that it helps you keep identity data consistent throughout your enterprise, and automates the process of reconciling and cleaning up disparate identity data across the various stores. This importance of this reconciliation and clean up process cannot be overstated and is a critical first step to delivering identity lifecycle management solutions, such as provisioning, that layer business process on top of this identity information and synchronization. Without ensuring that your identity information is clean and consistent across your organization, it will be difficult to be successful as you add business process on top.
That said, the ILM 2007 metadirectory is truly the foundation for identity life cycle management solutions, enabling you to do things like
- Automate user provisioning
- Manage global address lists
- Automate group and distribution list management
- And ultimately put you on a path to take advantage of the solutions in ILM “2”
ILM 2007 Certificate & Smart Card Management
ILM 2007 certificate and smart card management provides a single place to administer digital certificates and smart cards. One of the biggest costs of getting to strong authentication is the deployment of certificates and smart cards. ILM 2007 automates this process and dramatically lowers the cost of deploying and managing certificate based credentials such as smart cards.
You are able to set up and configure workflows (i.e., approvals) to do a number of things for your certificate environment, including
-Managing the process of enrolling, renewing, and updating certificates
-Replacing smart cards that are lost, or issuing temporary cards in the case of someone forgetting their card at home
-Revoking certificates or retiring or disabling smart cards when an employee leaves your organization
ILM 2007 certificate management provides detailed auditing and reporting for the activities that take place in your Microsoft certificate infrastructure.
ILM 2007 also supports admin based or self-service smart card PIN reset as well as key recovery.
ILM 2007 User Provisioning
ILM 2007 automates the process of provisioning and deprovisioning user accounts, mailboxes, and group and distribution list memberships. With ILM 2007 you can manage the process of providing users with the access and assets they need to do their jobs; and when a employee switches roles, say from a finance to marketing role, they have the accounts and access added for them to do the new marketing role, while they have the account in the finance application revoked since they no longer need it to do their new job. When an employee leaves the organization, ILM automatically disables their accounts and access so they can’t log back into systems once they are no longer an employee.
ILM 2007 also enables you to extend your user provisioning solution to integrate with existing solutions such as portals or identity management tools you may have already developed. In addition, ILM 2007 provides a foundation to extend to partner solutions that include additional connectors, complex workflow, or self service portals.
So that's about it on ILM 2007. In the next post I'll look at some of the exciting new features available in ILM "2"