CyberRes NetIQ Identity Management Review
Micro Focus’ CyberRes NetIQ Access Manager (we’ll just say Access Manager for most of this review) has been a competitor in the identity management (IDM) space for quite a while in one form or another, even spending some time under the old Novell banner. With this level of history comes both high expectations and some level of curiosity as to the maturity and innovation the solution offers compared to IDM platforms with more continuity on the management and business side.
Access Manager is geared toward businesses looking to self-manage their IDM toolset, with options for running on-premises using individual software components or as a virtual appliance either on-prem or in a private cloud. Access Manager’s identity component is part of a larger family of tools focused on identity and access governance for your enterprise. But while it caters to those who need on-premises deployment, Access Manager necessarily lacks the convenience and pricing advantages of SaaS-based IDM offerings such as our Editors’ Choice award winners Okta and VMware Workspace One Access.
NetIQ Access Manager Installation and Components
Access Manager is a more traditional enterprise application than most of the others we reviewed this time around, although solutions like Ping Identity’s PingFederate still cater to enterprise IT shops looking to tune individual components for performance, reliability, and security. The appliance-based installation offers flexibility of a different sort because it lets you set up Access Manager in a more controlled private cloud environment. Either option does require more in terms of installation, configuration, and maintenance than Identity as a Service (IDaaS) solutions, so unless your IT department is ready to absorb the additional workload (or pay for additional manpower), you may want to look elsewhere.
The four components of Access Manager are the administration console, identity server, access gateway, and analytics server. The roles of the admin console and analytics server are self-explanatory, with the administration console being the focal point for all configuration and policy changes and the analytics server handling the business intelligence and reporting end of things.
The identity server role handles authentication traffic, whether that be single sign-on (SSO) using protocols like SAML (Security Assertion Markup Language), Active Directory, LDAP, or even certificate-based authentication. Finally, the access gateway serves as a reverse proxy, allowing internet-based clients to securely access legacy web applications hosted internally.
The company offers a set of installation documents that highlight prerequisites, network and firewall requirements, and even the order in which components should be installed. Additional post-installation steps are required for configuring local identity stores, again including Active Directory or LDAP.
One obvious concern with committing to an IDM solution hosted on-premises rather than buying a service is the update process. That’s particularly true of any areas you really need to keep up-to-date, like your application catalog. CyberRes gets around this by curating the app catalog online and serving up the catalog data seamlessly through the admin console, which keeps the app catalog updated and flexible while also allowing your enterprise to maintain control over the platform as a whole.
Applications that exist in the app catalog can be installed in Access Manager through a set of steps very similar to the platform’s IDaaS cousins. Once an app is selected from the catalog, there are some basics to configure such as identifiers for your instance in the web application, as well as which attributes from your directory should be utilized in the cloud app. Access for specific users can be defined using roles, with more advanced requirements such as specific authentication methods set using contracts (which we’ll cover a bit more in a minute).
For apps not available in the app catalog, Access Manager offers a connector studio, which allows you to configure custom apps using forms-based authentication or SAML. While most IDM suites provide a method to add custom applications, Access Manager does a stellar job of offering a wide variety of options while keeping things relatively intuitive, even providing a template for defining federation instructions for sharing the connector with other parties (such as other IT shops within your enterprise).
NetIQ Access Manager Policy Management
Access Manager uses policies to manage authorization to applications and other corporate resources, assign roles, and manage attribute flow using logic-based rules. Authorization policies are configured using conditions, which if met trigger resulting actions, which can then allow or deny an attempt or even enforce a specific contract (potentially requiring elevated authentication factors).
Risk-based authentication policies provide a way to dynamically evaluate authentication attempts to determine how risky an attempt may be using factors such as geolocation, device fingerprint, or user history. The benefit of risk-based policies is the ability to leverage more intrusive authentication factors when an attempt is deemed to have increased risk.
There’s a potential for false positives, which is certainly a concern since users being inconvenienced with additional authentication requirements or outright denial of corporate resources ultimately costs your business time and money. But the alternative is not requiring additional factors or requiring them all the time. Access Manager gives you a high degree of control over each of the factors associated with authentication risk.
Authentication contracts, though not technically considered policies within Access Manager, are used to configure how authentication to a particular identity store occurs. Contracts are defined within a particular identity server and determine which authentication methods should be invoked when a user attempts to access an app that references the contract. If a user has already accomplished the authentication required by a contract, he or she is authenticated silently.
Micro Focus offers perpetual licenses for Access Manager for $20 per user, or $8.40 per user on an annual subscription basis. Software maintenance costs run an additional $4.50 per managed identity per year.
Overall, NetIQ Access Manager doesn’t have the benefits of an IDaaS platform or a clean, intuitive UI like most of the other solutions we’ve rounded up. However, if your priorities run more toward the need for control over the infrastructure and configuration behind your IDM platform, Access Manager may be worth a look.
Like What You’re Reading?
Sign up for Lab Report to get the latest reviews and top product advice delivered right to your inbox.