Introducing Fischer Identity™
Identity management (IdM) enables organizations to automate many of the outcomes required by regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, J-Sox, PIPEDA, and the European Privacy Directives. Best practices dictate the use of preventative, detective and corrective controls. Without IdM, compliance effort and costs are higher and are likely not sustainable, but comprehensive compliance requires the capabilities and stability available only with advanced, well-architected IdM suites. Interoperability technology must be at the solution’s core to enable rapid, simple, and widespread deployment across firewalls, domains, locations, and even across enterprises as partnerships can increase the risk of noncompliance. In addition to improved compliance, IdM solutions provide many trickle-down benefits, including cost savings, reducing the efforts of auditors, making workflows self-documenting and easy to understand, and so on. These solutions are the key to long-term sustainability of identity-related compliance and at the lowest possible cost.
Identity Management (IdM) is vital to managing compliance and security and is one of the keys to
preventing identity theft and fraud. It is essential for business efficiency and responsiveness to business
changes. However, leading analyst organizations report customer dissatisfaction with traditionally
architected provisioning initiatives:
“There is a consistent message from UP [user provisioning] customers that UP products are
still too complex to implement and maintain on an ongoing basis and, therefore, require too
much technical support from the vendor and / or systems integrator."
Technology must facilitate the business requirements of organizations rather than dictate which business
choices are available: In addition to providing the features required for business, it is important for the
solution to have a robust architecture and support any procurement model. Fischer Identity is the only
solution meeting these requirements. This paper highlights the capabilities of Fischer Identity. Details are
provided in the Fischer Identity Suite™ Architecture Overview white paper.
“C&SI [consulting and system integration] costs remain high due to the unbalanced state of
customization required by the enterprise versus product and practice maturation rates.”
2. Fischer Identity Capabilities
2.1 Compliance & Audit
Fischer Identity helps organizations of all sizes comply with a wide array of regulations such as Sarbanes-
Oxley, HIPAA, FERPA, etc. Automated preventive, detective and corrective controls discover and
remediate compliance violations as well as simplifying reporting, recertification, audits and audit
preparation. Organizations can easily recertify access to resources, reduce audit preparation, and quickly
provide reports to answer audit questions such as "who had access to what, and when."
Provisioning ensures security and enterprise workforce effectiveness by providing appropriate access to IT
resources such as accounts and privileges as well as controlling non-IT resources like credit cards and
badges. The provisioning (and deprovisioning) processes can optionally require approvals and are initiated
1) through user-friendly self-service pages, 2) via requests from managers, or 3) automatically as events
occur on connected systems.
2.2.1 Request-Based Provisioning
End-users and managers can easily initiate the provisioning process by selecting enterprise business
roles and resources for themselves or for their employees / business partners and their requests can be
automatically routed for approval. Request-based provisioning typically requires a shorter implementation
time and can be used as a complete solution, as the first phase to automating role-based provisioning, or
in combination with role-based provisioning.
2.2.2 Role-Based Provisioning
Business events such as hiring a new employee can automatically initiate the provisioning process; for
example, when Human Resources enters a personnel action in an HR or contractor management system,
the organization’s rules determine which resources are provided based on factors such as a person’s
location or membership in a specific department. Role-based provisioning can also be combined with
request-based provisioning, especially when some resources are required by very small groups of users.
2.3 Self-Service Portal
The Self-Service Portal enables a variety of actions such as requests for resources, approvals, password
resets, user profile management, recertification processes, etc. It was designed for clarity and ease of
use, which is vital since users typically use it only occasionally. Organizations can also specify the
features available to each user, which simplifies usability.
2.4 Password Reset and Synchronization
Users can securely reset their forgotten passwords without calling the Help Desk, which improves the
user experience and reduces costs. Fischer Identity enforces the organization’s password policies and
can automatically synchronize a user’s passwords for accounts on multiple systems. Help Desk
representatives can also manage a user’s passwords for all systems and applications, which avoids the
need to learn a proprietary interface for each system. It also eliminates the risk of catastrophic errors
since Help Desk representatives no longer have more privileges than required.
2.5 Privileged Access Management (PAM)
Organizations can control their “keys to the kingdom” by managing administrative and shared accounts
that are often highly privileged, but cannot be traced to an individual user. These accounts are frequently
the targets of identity thieves and others (insiders and hackers) because they can bypass controls to
access or destroy sensitive information without being traced. PAM also eliminates the need to store
passwords in an organization’s scripts that must login to various systems and applications. Scripts are
very commonly used and cause a significant security vulnerability, since anyone who gains access to a
script is able to see an administrative password and breach the system, likely without being traced.
2.6 Federated and Web Single Sign-On
Users can be permitted to securely single sign-on to Web and SaaS applications as well as to resources in
partner organizations, which improves the user experience and reduces calls to the help desk for forgotten
passwords. This enhances privacy since user information does not need to leave the enterprise. Users are
also appropriately deprovisioned from using federated applications. Federation also provides a fast method
for secure access control for large populations of users without the labor and delay to create individual
accounts for each user. Federation complements Fischer’s other offerings such as provisioning: Rules and
processes are enforced so that users receive the correct privileges for Web and federated resources.
2.7 Enterprise Business Roles and Role Engineering
Enterprise business roles represent groups of persons who perform similar functions and need similar
resources to complete their duties. Fischer’s “top-down” hierarchical role engineering enables
organizations to manage access, audit, and periodically recertify their populations for accounts,
entitlements, and roles.
2.8 Interoperability / Connectivity
Fischer Identity includes a wide array of connectors and a unique architecture designed to quickly
connect disparate systems, even across enterprises. All configuration can be performed centrally without
the need for additional technologies such as VPNs, which speeds implementation and reduces costs.
2.9 SAP User Administration
Authorized users can use the Self-Service Portal to administer SAP user accounts. Organizations can
safely transfer mundane tasks from SAP administrators so they can focus on tasks with higher value to
the organization. This also eliminates the need to create and manage additional SAP administrative
accounts and permissions for user administration.
2.10 Mobile Identity Management
The Fischer iFly mobile interface enables authorized users to approve provisioning requests and reset
passwords from their mobile devices. This enables organizations to choose the best individuals to
approve provisioning requests without regard to whether the person will always have timely access to a
PC. Business processes do not need to be delayed when approvers travel.
2.11 Implementing, Maintaining and Extending IdM Solutions
The challenges associated with implementing and maintaining traditional IdM solutions are well known:
IdM projects typically take much longer and cost much more than originally planned. Organizations also
complain that they must schedule a project team to make even a small change, and they don’t dare make
significant changes: Many organizations have developed manual workarounds for new business
requirements since changing a traditional IdM solution can present unreasonable business risks.
In contrast, organizations can quickly and cost-effectively implement Fischer IdM solutions. The flexibility
of Fischer Identity also enables organizations with IdM solutions from other vendors to preserve their
investments while expanding their IdM capabilities to support additional business processes and
additional connected systems.
3. Identity Management Procurement Models
Organizations can choose the procurement models that best fit their current needs and have their investments protected if they need to change to another model in the future. Fischer supports the full spectrum of business procurement strategies. Regardless of the procurement model or the complexity of the requirements, Fischer Identity is rapidly implemented and supports unforeseen business changes.
3.1 On-Premise Software Model
This is the traditional software-as-a-product approach where the organization owns and manages the solution. The organization has full control of all aspects of the solution including the timing of upgrades, customizations, etc.
3.2 Outsourced On-Premise Model
This is an outsourced model where a service provider furnishes the implementation services required to run the solution on the client’s premises. The complexity and software requirements for this model are consistent with those of the traditional on-premise software-as-a-product model.
3.3 Software as a Service / Cloud Model: Identity as a Service® (IaaS®) Model
In the SaaS / Cloud model, a service provider owns the infrastructure, hosts the software in its own facility, and makes it available to clients on a subscription basis. Such solutions typically employ a multitenant
(one-to-many) approach where at least some of the assets are shared among multiple client organizations. Since connected systems typically reside at the client’s locations, Fischer’s cross-domain capabilities enable rapid and cost-effective connections to each client organization.
3.4 Shared Services / Private Cloud Model
The shared services model is similar to a SaaS model except that the “service provider” is the organization itself or is closely related to the client organizations. For example, one university in a statewide system could act as the service provider for other colleges and universities within the state.
3.5 Hosted Model
In the hosted model, the solution is operated by the service provider and is physically located at the service provider’s data center. The solution and infrastructure are typically dedicated to a single client organization and can be owned by the client organization or can be procured as a subscription service.
Fischer Identity provides a rich set of features in a robust architecture. It is the only IdM solution that can be implemented using any procurement model: SaaS, hosted, outsourced on-premise, and software-asa-
product. The same solution cost-effectively supports a wide range of business sizes from the small to medium businesses to the largest multinational corporations.
Gartner. Witty, R. J. & Allan, A. & Wagner, R. Gartner Magic Quadrant for User Provisioning.
Gartner. Perkins, Earl. IAM Consulting and System Integration, Part 1: Market, Trends and Impacts
Gartner. Desisto, R.P. & Paquet, R. How to Evaluate SaaS Architecture Model Choices.
Forrester. Cser, A. Identity-Management-As-A-Service.
Document MCB-08-401F February, 2014
Copyright © 2007-2014 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Managed Identity Services, Managed Identity Services Technology, Identity as a Service, IaaS, the Fischer International Logo, Global Identity Architecture, Built for Business…Yours, and all other Fischer product or service names are the trademarks and/or registered trademarks of Fischer International Identity.