Fortis

Fortis short-listed 3 package vendors and 4 service providers for their corporation-wide Identity and Access Management (IAM) system. I was part of a group to advise management on the technical suitability of each. My brief was to look after the integration needs, both of authoritative and managed systems. Moreover the new IAM system should coexist for the foreseeable future with legacy local IAM systems.

Fortis is a large group that has grown by mergers and acquisitions. Many of the systems pre-dating integration into the Fortis group still survive and are expected to do so for some considerable time. Hence, a corporate-wide IAM system must integrate with many, often disparate, technologies. Where possible, existing interfaces were earmarked for integration. However, sometimes, new ones need to be developed.

An IAM system must interface with authoritative and managed systems. Authoritative systems are the authoritative source of crucial information for an IAM system:

human resources repositories. Fortis uses SAP HR;
asset management systems track IT assets. This is in need of consolidation;

The Fortis IAM system will not act as a reference monitor, but provision managed systems. These are, in turn, responsible for enforcing access rights. Managed systems include

Active Directory,
RACF,
proprietary systems based on SQL Server and DB2 databases.

The technology of choice for internal development is .NET. All short-listed packages were JEE-based.