The mainframe’s high costs mean it isn’t always the most cost-effective choice for running IAM applications, such as user provisioning, access management, and administrative functions, according to Gartner vice president Earl Perkins. However, running IAM applications on the mainframe’s specialty processors won’t affect the Million Service Units (MSUs) for the general processor. For instance, Tivoli Identity Manager (TIM), Tivoli Access Manager (TAM), and Federated Identity Manager (FIM) can run on the Integrated Facility for Linux (IFL), while TIM and FIM can run on the System z Application Assist Processor (zAAP).
“Consider identity management as having two layers,” Perkins says. “The bottom layer is access—all the things an identity management application must do to enforce access to an application or service and manage access to them. The top layer is administration. Administration involves all the things required to perform such tasks as create an identity, get approval for that identity, and do analysis for that identity. To create, maintain, get rid of, or report on identity is the top layer’s responsibility. The mainframe has predominantly been focused on the access layer as the gatekeeper, making sure the right people get access to its resources.
”Mainframes would be especially appropriate for IAM in special circumstances such as in cloud computing,” Perkins adds.
“When you have a use case or a situation such as having large volumes of people or having to be available 24x7, that makes running IAM on the mainframe a good idea,” he says.
However, there’s no one-size-fits-all solution, and running IAM on the mainframe can be effective when specialty processors are leveraged.
Multiple IAM Systems in the Enterprise
All those extensions of IAM systems to other platforms point to one thing—that enterprises have several IAM systems in their computing environment.
“You rarely run into companies having only a single identity management solution; they usually have several that have to be managed to work together,” Burton Group senior analyst Kevin Kampman says. “It’s very challenging and expensive.”
Often, users have several identities on different platforms, and roles are defined differently on different platforms, or when there’s more than one system; especially in merger or acquisition situations, IT must conduct asset search and discovery as part of an effort to rationalize the enterprise’s IAM systems and eliminate overlap.