Symantec Identity Governance and Administration Reviews

The most valuable features of this product are the legacy interfacing - interfaces with our mainframe - as well as provisioning.

It gives the end users power for their other access requests.

User interface and usability are mainly the features that need improvement.

I'm not sure if the new release includes 508 compliance for blind and deaf users. That would be a nice feature to include, especially for the government space.

The stability of this product is okay.

Scalability of this product is something that we need to look into.

The technical support team is good. Actually, we have a CA support team onsite which is good. They have been able to answer all our questions.

I wasn't involved in the decision-making process for purchasing this product since it was taken a while back.

I wasn’t involved in the initial setup process.

User interface is an important feature, especially in the sector from where I am coming from. Later releases are just allowing a user to know what to do in the product.

I would wish others good luck while purchasing this product.

One of the primary features we use is the password reset. The challenge we had was that our helpdesk had to manually reset customers in the field and reset their passwords one at a time, so we implemented CA Identity Manager to allow us to automate this self service reset of passwords.

One of the biggest benefits is the reduction of calls to the help desk. We reduced by a third our calls for password resets because users of the system could then reset themselves using the challenge questions and you know, people forget passwords it's an easy function. That was a huge benefit.

We are actually looking at something to make it easier from a user front end. The helpdesk does a lot of work today, so we're looking at another product from CA. I think it's called the Identity Suite.

Make the maintenance and the updates easier. As well as a more intuitive interface.

It's been very solid. We went live a year ago, so almost 18 months and it's been rock solid.

It's been very good. We have above 40,000 users on that platform and we never have any issues.

We haven't had any issues that required us to go to technical support, so it's really been very good.

We were using a product from Oracle - OID. Primarily it was all home grown, we had to build the backend database, we did some interactions, so it was really a custom solution and it wasn't as scalable, and it didn't have the security features. Rather than invest our development effort into creating security components, partnering with somebody made more sense.

Converting from our old system took a little bit of work. We had a lot of old database access accounts that we had to move over, again, 40,000 or 45,000 but once we took care of that it was pretty painless.

We compared a couple of other vendors. Some of the newer ones are cloud-based, we weren't comfortable with that yet.

The most important criteria when selecting a vendor is stability, the quality of their product, price is always a factor; to make sure you can afford it. We looked at what we had, switching to a new product then we compared it with several other vendors. We typically would go through a matrix and say, "Okay, here are all the items that we feel are important," so when we make that decision you can go back and say this is why and how we made it.

Rating: I'd say probably 8/10. Again, we haven't had any issues from a support perspective, once we've implemented it it's been very solid, people love it and we've saved a lot of money and time from the help desk perspective, so it's been a good investment. I'm really hard on numbers, so 9 or 10 is like impossible.

With security, you have to have a culture of security, and protecting the accounts and passwords and access has to be number one, given every time you see a breach in the news, it's because somebody is not taking care of security. It's top of mine.

It's [CA Identity Manager] done exactly what we want it to. We've actually branched out and done some additional federation logs and stuff like that. Because of the success we've also looked at some other products like CA Advanced Authentication from a external consumer standpoint. It's been a good partnership with CA.

I would say the most valuable feature is provisioning where we are able to provide user access to all the resources they need in a uniform way that we can audit. We don't need to spend a month going to every individual server, every individual database granting user access. We can do it from one central place.

For SiteMinder, is the ability to bring applications under its protection very quickly and ability to partner with other companies through Federation and SAML using open standards to do authentication. We are able to partner with other vendors much more quickly no because before we had to do our home grown authentication things and they had to adapt to our non-standard way of doing things. Now, we have open standards. We publish a document to them with our SAML configuration, the documents we are going to be sending them and they code to it. We get on board very, very quickly.

For one, you don't have to remember a thousand passwords. You just remember one. You go to a dashboard and then you'll be given access to the environments you need. Two, there is more security because the passwords that it generates are very, very large. They change very often. It's not something that can easily be guessed and your infrastructure is more protected this way.

Something to help us migrate our code between environments from QA to UA to production in an easier way. That would probably be the big one.

They seem very, very stable. Ever since we put them in place we didn't have to do much in terms of bug fixes. They just work out of the gate. Part of the reason we had that is because we couldn't have the point from a single server so there is no fail over, even though the two supports that we have not configured this way yet.

We didn't have to face any scalability challenges yet because we only use it for our members, which are about 40,000 accounts, which is nothing for two of that size. We haven't had any issues, but we haven't had much load.

They have been very good to us. We also partnered with Simeio which is a preferred partner for them. They have been working very, very closely with us. They have been very responsive in communication. They have developed patches for us whenever we needed them.

We did use previous solutions. We used a very old Oracle SSO, Oracle OID, and Oracle IDAS, all of which were unsupported by the time we went to upgrade.

It was straightforward on the SiteMinder side. On the Identity Manager side, it was a little more complex because we had to maintain a certain legacy items. We have some authorization settings stored in databases that we need hook Identity Manager to and have it manage those. We had to create some custom code to do that. It wasn't too difficult.

We are looking at another tool from CA Advanced Authentication for our guest site, which is then millions of users. So far, we are still in QA, but it seems that it will scale just fine.

We rely on word of mouth. We try to see if anybody has experience with working with this vendor. We're looking, not just for a vendor or a partner, we're looking for somebody who could be open, who can truly collaborate with us where we can exchange information freely and have both parties benefit.

We really do not like having this vendor relationship where you throw something over the fence and you have this contract that tries to encompass everything. We want to have somebody that, even though our contract is limited to something, if it's something that either party is obviously responsible for, we can do it and we don't argue over little things.

I would say go for it. You won't regret it. I think they're a very good products, very mature products. SiteMinder is synonymous with single sign-on. Identity Manager - it's a great tool.

Identity Manager allows us to have a programmatic and paradigm shift in the way that we handle identities within our organization. What we had in the past was sort of a homegrown-built system to manage identities. That is individuals coming onto our systems and out of our systems. With the Identity Manager product, we're able to automate that in a way that we couldn't in the past. The single largest improvement has really been the ability to take what was a paper sort of process, e-mail sort of process, manager phone call process, down to an automated process which allowed us to go from one week to provision someone to ask the appropriate access down to about two hours.

We've met with the product development folks, and as far as improvements, we're really looking at them from a user experience. While all the key components are there to make the product work very well, what we're looking at is enhancing the product to have much more of a more modern approach and look and feel.

The actual application is very well designed and architected, and is very stable. We're very happy with the solution so far. The product is easily scalable and horizontally in that manner, so what that allows us to do is as we onboard more and more applications as endpoints for the Identity Manager, we're able to scale appropriately. Horizontal scaling is the ability to basically say, "Hey, I have ten more endpoints. I need two more instances of the application to manage those endpoints." It's easy to just instantiate them, as opposed to us having to buy bigger and bigger boxes to manage with more memory, more compute, more storage to manage those entities.

Technical support from CA comes in two forms for us. The first one was regard to their sort of, what we call, staff augmentation model. Well, they helped us to understand the paradigm for a using Identity Manager, while at the same time helping us to understand how to use the actual product. The support that comes afterwards, which is also excellent, comes in the fact that they have forums for us to interact with. They also have sort of escalation procedures that we have a chance to work with, and so that supports us from both ends of the project. The introduction as well as the ongoing maintenance.

In the past, we did sort of a simple sort of management of identities through, what we called, the manager calls you up and says, "I'm identifying the following person." It was sort of ad hoc, so to speak. With the Identity Manager product, in conjunction with the identity governance product, we were able to define roles, enterprise type roles, and then use the identity minder product to push those role's accesses out into the application world.

I think the actual product itself is fairly simple and straightforward. The difficulty comes in trying to understand what is a paradigm for identity management in the context of this particular product.

Selecting a vendor is important to us. We need to make sure to pick the right vendor. Firstly, we look at are they one of the vendors we currently work with. Consistency in approach, consistency in the technology, consistency in the style, is all important for us. The product in and of itself is good, but what you need is a holistic approach from your organization, because identity management is not just simply a one area focus. It is an organizational issue. Make sure to include all the areas of the organization. We had a sort of homegrown applications that we wrote. Scripts and programs that were wrote to manage in the context of our current applications.

It is really important that we find out what the community thinks of these products. They have been through the war, so to speak, and their ability to learn and understand what the shortcomings were, what lessons learned happened for them in their particular context, is really important for us. Simply getting a White Paper is great. It's a starting point, but I like to augment that with blog reviews and understand what the rest of world thinks about our product, especially when it comes to critical products like something like an identity management system.

We are using the IDM solution for customer identification and authorization. We just started the project about a year ago. We have already implemented IDM on our website and our mobile applications. So far it's looking good. It's an interesting question because what we are getting back from our customers, they're quite afraid of what's happening because we have actually gone down from three identifiers on our website to two. In our mobile applications, we are now enabling one identifier and we have just implemented fingerprint recognition. Our customers were calling us and asking "look we are seeing cyber attacks happening, identification being stolen all over the world. How are you actually going down and using only this parameters for identification?"

I think that the CA product enables us to do that. Get more security with lesser need of user identification.

There are actually quite a few nice things on the CA roadmap in the future. I think to have ability to enable our customers to have different roles, because we have customers that they can be a private customer, they can be part of an organization or a corporation and they need to have different roles. I think that's still something we will see in the future. We have some basic product to do that and we are starting to implement it but it will take us some time to get there.

It was a journey because when we started the project, we had trouble. We couldn't get the system easily installed, up and running but over the time we installed a different project from CA. Which is called Wiley [CA APM] which really enabled us to get things smooth, up and running and for the past 6 months we haven't had any defaults in the system.

We started off with 10,000 customers on system, it looked good. Now we have about 1.6 million customers on the system, no problems at all.

We had a technical support locally in Israel from CA but we were referred to CA Laboratories Worldwide. We had good support from them.

Cyber security in these days is a very important issue as we all know. We had an old system, we saw that we cannot move ourselves into the digital age, the banking digital age, without a robust system that will enable us the capabilities we needed. We started looking around for a new platform quickly. We sorted out that CA's the best product for us and that is really the product we are based on to do our digital transformation in our bank.

Since we are discussing a very vulnerable system which would actually be the front-end for our customers, at the end of the day. We had to take it really slow and we got the system up and running, co-existing with our old system. We did a lot of tests, we had, as I said before, a few customers on the system before we actually started to deploy. It took us about 8 months to get things up and running smoothly. Then we had the confidence to really migrate our customers to the new system.

We have long, long list of parameters that we, of course, check. It's about 5 pages of criteria and of course robustness, the ability to go forwards as a system over long years. Transforming to such a system is a very long process. We want to have a system that can be up with us for at least 10 to 15 years. We checked it quite thoroughly, we of course talked to other organizations that had the system. We think we had made a good decision.

As it looks for now, it looks as an 8/10. I believe that it can go up to 9 and 10 in the future. I think that stability issues in the beginning of the process are a major thing. Getting the system up and running smoothly took us quite a few months. The main area would be the security area of course. Even our own employees, for example, cannot see customer data on the system. It's all encrypted so we don't see passwords, we have limited viewability of what's happening on the system in the security areas. I think that the system that's built to disable our own employees from data leak prevention aspects, almost unable entirely to take our data out of the system and share it with someone. That's a main factor having a security system in our organization.

We previously manually provisioned staff, but now Identity Manager allows us to do auto-provisioning. Auto-provisioning means that when there's any HR activity associated with an employee, it automatically, for example, de-provisions if the employee is fired or moves positions with different access privileges.

We used to have a manual for new hired instructing them to send and email or make a phone call. It used to take 7 days for this process, for example, if we hired a $200/hour consultant. It didn't matter from a security admin perspective because they knew the new hire was coming on board, but it took a lot of manual effort and time.
Now that we have auto-provisioning, we just define the provisioning rules for access privileges and defined, targeted endpoints.

I'd like to see it better integrated with the other CA security products.

We've had no issues with deployment.

We're still executing Identity Manager, so far we haven't had a very bad experience. It looks like it's good, but we still have to learn a lot about how to use the product, but so far from what we've seen, it's a prominent product.

We scaled for fifteen targeted endpoints. We are still at six, so we are still within the scoping half of what we anticipated. So far, so good.

The initial setup was IDM v8, but we could not really upgrade to v12. I don't remember on top of my head what were the technical reasons because the product has changed quite dramatically. It's a completely different architecture and everything, but the migrations we are doing now, from one version of 12 to another is quite straightforward.

Have something in your mind, like a handful of targeted endpoints. Stick with them, implement it, then extend to the others. Don't just change your scope.

The most valuable features include governance certification and creation of rules. Ones the rules are created, they're put into IdentityMinder so that IdentityMinder can use those rules to provision all the users from provisioning or de-provisioning based on HR processes to create targeted endpoints. One of the targeted endpoints is used as the authentication alteration source for CS. What Identity Governance does is that it allows us to see the full, big picture of all this inter-connectivity.

The product is great with good fundamentals from its Integrity days some 16 years ago. The product is still living on the same principles, even as federation, cloud, B2B, and add-ons came into the picture. It has the core fundamentals and it's still sophisticated.

The technical support for this particular product is really poor and needs a lot of work.

The stability of it seems good so far. Right now we are using rule mining, rule certifications, rule accessibility and GovernanceMinder. They're working fantastically.

Technical support is a fail.

I wasn't involved in the setup.

Be sure to define your scope properly.

We had a big problem with accounts synchronization provision as we used a very old identity manager solution, and we needed to change it. Then we acquired the new CA solution and we changed the solution. 

It was a big challenge to change in only four months to CA Identity Manager, but we did it. Now we have accounts synchronization and self-service password reset. 

Over the next two years, we will implement a new solution with CA for the accounts to put in Identity Governance. We need to implement 70 new systems inside Identity Manager.

We use CA products because we have specific programs. For example, we use IBM WebSphere, and Identity Manager works with it. We implement and both sides achieve development and production, and we consider higher capability.

My team doesn’t have much experience, so we need to hire a professional to work with us on site every day. This is difficult. I have 2700 servers and we have another project when 90% is obligated to use them but only 10% is a physical server.

At the moment, stability is so-so. We implemented this solution last month and the CA professional worked with us every day and made some configuration. I think our level of stability is normal for this stage.

We made a request for a proposal to which IBM, Oracle, ISA, and CA responded. CA and Oracle were proven because the other ones didn’t agree with the time, four months, which is a big challenge. When my architecture team and security team checked the solutions, CA has a better score than Oracle, and they had a better price.

You have to plan what you need. I had a bad experience in the past with an Oracle solution as my last company didn’t know what they needed. It's important to know what you need and where you can go. You need to have your systems and your integration prepared. We have had some surprises.