Category: ID management
Product: IMAG 500
Vendor:Apere
Price: $15,000 for a single device
Apere's IMAG 500 appliance aims to simplify the complex maze of
identity management through the automatic discovery of distributed
identity stores, consolidation, reconciliation and provisioning of
all user accounts, and access to practically all network resources
through a single control point.
It's an attractive proposition, but we found the implementation
rough going.
Configuration/Management: D
Setup was difficult, ultimately requiring the company's technical
support to remotely access the device to assist with the
configuration process. Although Apere claims that the device can
learn the location and type of applications, each application
required manual configuration.
Basic device configuration is like any other appliance: You set
up DNS servers, email servers, log servers and VLANs.
Things got sticky when we tried to add authentication resources
and user stores, particularly for Web applications. Because user
accounts don't generally live on the Web server itself, IMAG
doesn't have a way to tie users to the resource they need to
access. In the absence of an API, you have to enumerate users from
each identity store and reassign the resource that IMAG associated
with the users. You then have to get the user information, reformat
it and redirect the allowed resources for those users to point to
the Web server.
Rather than use an Active Directory domain, for example, the
provisioning process requires an "authoritative list," in a
specifically formatted comma delimited text file.
Further, IMAG wouldn't recognize user formats used by key
applications such as SQL Server and Project Server for AD accounts.
As a result, these IDs must be manually matched to their account on
the user store.
Policy control: D
Access control entries are based on user ID, VLAN and IP address,
but IMAG lacks a proper grouping mechanism, so it can assign only
one or all users, for example, to a resource. Anything in between
will require extensive work to set up.
Policies provide the ability to control which users or groups of
users can access particular applications, but are only usable when
the device has been deployed in an in-band configuration. When
deployed out of band, IMAG can still serve as a central ID
consolidation and reconciliation point, but any other benefits are
lost.
Effectiveness: D
IMAG has some major challenges to overcome. An ID management
solution needs to be able to effectively link and manage identities
from stores of user accounts. Tasks such as importing users from
identity stores and consolidating them proved extremely difficult.
Some of the most basic applications, such as SQL Server and LDAP,
were a major challenge.
Proper user provisioning requires that you manually create an
account in each application and assign that user to each resource
via the user interface.
Reporting: B
Reporting is handled through an easy-to-use Web interface. Each
report is customizable, and canned reports are available for
applications, authentication stores and user provisioning.
You can research orphaned users, unmanaged resources and user
stores that have not been reconciled. Each report can be filtered
based on criteria such as specific users or resources.
Verdict
Apere says many of the issues we encountered are addressed in its
next release, but mid-enterprise businesses may not have the
tolerance for a product with so many features missing or
unfinished.
Testing methodology
Our lab included a single Active Directory domain and a single LDAP
tree. User accounts were enumerated from various sources such as
MySQL, SQL Server, Web applications and various client-server
applications. User roles such as administrators, power users and
end users were set up to test access controls.
This product review originally appeared in the January 2007
edition of Information
Security magazine.