Posts Tagged ‘IdM’

Manage Globally. Act Locally.

Wednesday, November 4th, 2009


How identity and context virtualization will change the way we manage identities

My company invented the virtual directory to help take the complexity out of IdM. And now we’ve expanded on that idea to deliver a complete integration solution we call “identity and context virtualization.” I’d like to take the opportunity to explain what it is and why we developed it.

First off, when I say “IdM,” I mean it in its largest sense. While governance, risk, and compliance for internal populations is important, the larger and more rewarding task is helping you integrate high-value, heterogeneous identities for externally-focused initiatives, such as WAM, federation, SaaS, and more.

With that in mind, we’ve all got identities to integrate and new architectures to support.

But right now, the elements of identity are scattered across directories, databases, and applications. Reaching across all these heterogeneous, distributed data silos to aggregate and synchronize identities has proven nearly impossible.

So how do we solve today’s integration challenges and lay the groundwork for tomorrow’s modern architectures, such as user-centric identity, Identity-as-a-service, and the cloud? In short, we need to manage globally and act locally. By this I mean that we need to deliver a global view of identity, while we enforce security at the local level, as close to the sources of services as possible.

And this solution needs to be easily deployed and scalable, since nothing’s getting simpler in the world of identity, things are only growing more complex at every level.

But how can we fill such a tall order? Well, we begin with the idea that those who do not understand history are doomed to repeat it.

What won’t work: Wait and see vs. tear it down and start over

Some see the gap between the present and the future and urge caution, saying let’s wait and see what happens. Others want to throw away the current identity infrastructure and build something completely new.

But we can’t wait when it comes to staying productive and maintaining a competitive advantage. And we can’t afford to blow up what’s already there and build an entirely new infrastructure—yet another silo—to take us into the future.

Learning from the past to innovate for the present and future

So we took more pragmatic, evolutionary approach, using what we already have to develop an infrastructure with the future built in. To do that, we revisited an old idea—the metadirectory—and a newer idea—the virtual directory as a proxy—and combined the best of both worlds. The result is a solution that solves the identity integration challenges we’re facing now, while building the right foundation for all those potentially rich future applications, such as user-centric identity, IDaas, and the cloud.

Identity and Context Virtualization: The Best of Both Worlds

Rediscovering what’s old: Metadirectory

From the metadirectory, we learned the importance of building a global reference for each identity, through synchronization, correlation of global/local identifiers, and disambiguation (watch a video about identity and context virtualization). We also found tools that let us build a highly scalable solution.

The metadirectory also taught us what not to do: move every instance, every facet of an identity into a single directory. We cannot simply centralize identity to secure today’s distributed environments or enable tomorrow’s new services. For security’s sake, there are some categories of information that you cannot move around, such as primary credentials—especially passwords, the weakest link in the chain. Plus, when you try to centralize everything, putting all logic and all function in one place, you end up paralyzed by the complexity of the task.

Reinventing what’s new: Virtual directory as proxy

The “virtual directory as proxy,” which is Radiant-speak for what the market calls a “virtual directory,” solved this challenge of centralization by calling the underlying systems to check credentials. This lets security happen in the manner appropriate to each data source—by delegating the security checking, you’re “acting locally”—while providing an abstraction layer to shield applications from the complexity of the underlying silos.

But while we know the virtual directory delegates security quite elegantly, we also know that as a proxy alone, it cannot scale as the number of sources and volume of queries begin to rise.  As a consequence, the “virtual directory as proxy” remains confined to niche tactical deployments for a limited number of identities. And that’s unfortunate because the “delegation pattern” is a key requirement in many of today’s high-volume, heterogeneous, mission-critical identity deployments.

Finally, both architectures taught us that the more complete your abstraction, the better. Basically, metadirectory was not “meta” enough and virtual directory as a proxy was not “virtual” enough. The more comprehensive the model of your system, the more flexibility you have—making your infrastructure more adaptable and protecting it from unavoidable change.

Building a better platform: Identity and context virtualization

The key to delivering identity as a service is the ability to abstract identities with their corresponding security contexts, so you can deliver the best services according to your applications’ needs. The way to achieve that is by linking identity and security context through virtualization. Here’s how we do that:

  • Virtualization simplifies the entire process, acting as an abstraction layer between applications and data sources.
  • Global/local reference and disambiguation delivers one version of the truth by correlating identity overlap and building a global map of your identity. (The “manage globally” side of the equation.)
  • Proxy/delegation passes the credentials and password verification to the original source. (The “act locally” part.)
  • Synchronization provides the scalability, performance, and high availability required when data needs to be moved.

It’s not about the storage, it’s about the service…

This changes how directories are viewed. Now it’s not only about  storage, it’s also about delivering a set of services indispensable for the identity stack—and the directory is enabled to offer those services through the magic of virtualization. But this is more than a point solution that does a quick and dirty remapping of attributes and query routing; it’s a sophisticated virtualization that creates a complete model of your system.

Our approach to virtualization is all about flexibility and scalability. By building a single global data model out of all your existing systems, you have the flexibility to create unlimited new views of your existing data as your applications require. And synchronization between the logical layer and the physical layer is auto-generated, giving you a solution that scales, no matter how complex the integration, high the volumes, or heterogeneous the data sources composing the view.

The most critical element is no longer how identities are stored, but how they’re aggregated, synchronized, and disambiguated—in short, integrating identity first, then delivering it as a directory. This becomes a powerful new way to view directories: as a set of services you could package and deliver, using different protocols as needed—LDAP, of course, but also SQL, as well as newer protocols such as web services.

Delivering a global view of identity…and linking its contexts

Identity virtualization allows you to reach an individual user across all silos to enforce security and deliver other integrated services. But once you have a handle on that identity, you can also begin to look at that user’s interactions across silos—the actor and his context.

But that’s a topic for another post…

We’ll explore the context side of identity and context virtualization next time.

Tags: , , ,
Posted in Context, Correlation / Global Key Mapping, Data Model, Identity Integration, Market Trends and Analysis, Synchronization, Virtual Directory Server | 3 Comments »

SPF for Your Sun Directory Infrastructure

Tuesday, October 27th, 2009

Add Flexibility and Shield Yourself from Uncertainty with Identity Virtualization

It’s easy to see how losing your company phone service or email would bring your business to a standstill. Now imagine losing your directory infrastructure. While the directory’s value might not be as obvious to the average business user, it’s a mission-critical foundation for controlling access, including authentication and authorization. For many enterprises, the Sun Directory platform is an essential component in their ability to conduct daily business.

I talk with customers every day and we all agree: Oracle’s acquisition of Sun is a game changer—and no one knows how things will shake out. Announced last April, the deal is currently under review by European Union anti-trust authorities, so it will be several quarters before Oracle and Sun are able to discuss the future of Sun’s directory and identity offering. Still, it’s important to understand and address the key challenges we’re all facing right now.

What’s my strategic roadmap for the near and long-term?

Many organizations are currently running Sun Directory 5.2, which has an end of life date of November 2010. Product upgrades are costly, time-consuming, and disruptive. An upgrade to Sun Directory Version 6 would be a major investment, coming at a time when Sun will potentially cease to exist as an independent company and the future of its directory—as well as the overall identity management product roadmap—has yet to be defined. The combined company will end up with two of everything, including two directory platforms. History shows that developing go-forward product plans, as well as integrating products, is a long and uncertain process. And with Sun in the process of lay-offs, there is uncertainty about what level of support will be available in the future.

How will this affect my business relationships and cost structure?

Sun Directory licensing can be quite complex, and all the terms will have to be re-negotiated once Oracle takes over this product. Sun has different license models—annual fee, perpetual license, even a limited use “free” license—and how these will change under new ownership is also up in the air. Companies who license Sun Directory on a per-user basis may also be paying too much, because they have large numbers of inactive users which could be stored outside the directory.

How can I make Sun play well with other infrastructures?

The sale of Sun highlights another identity management issue many enterprises are facing: the difficulty of unifying different directory infrastructures. Along with Sun Directory as a core enterprise identity store, we’ve also seen the rise of Active Directory, which is now a defacto component for most enterprise network and messaging initiatives and the authoritative repository of core identity information for employees. At senior levels within the enterprise, leaders are asking why the identity infrastructure is being complicated by multiple instances of the same data, in some cases maintained by a fragile and complex series of custom-built data and password synchronization processes.

So, given all these questions, how can you protect yourself from the business and technical aspects of unwanted change? Let’s explore how identity and context virtualization can add flexibility to your infrastructure and keep you from getting burned.

Apply Sunscreen: RadiantOne Identity Virtualization

The answer’s pretty simple—and it doesn’t take long to deploy either: Protect yourself with an identity virtualization layer. Sitting between your current Sun Directory infrastructure and the applications that access it, RadiantOne isolates applications from changes to the backend infrastructure. So the application thinks it’s talking to a Sun Directory, while behind the scenes, you have the flexibility to make changes as needed.  This simple yet powerful layer protects you from market dynamics outside your control, and also upgrades your directory and identity infrastructure to meet future requirements, including federation, fine-grained entitlements, SaaS, cloud computing, and multi-tenant services.

Provide flexibility in your infrastructure

Shield your applications from potential changes to your directory infrastructure in the immediate term, and position yourself to create an informed strategy once the new product roadmaps are announced. RadiantOne is a vendor-, product-, and version-agnostic infrastructure that protects your identity investments and enables quick deployment of new initiatives. Whether you decide to upgrade to Sun 6 or change your directory infrastructure instead, a virtual directory buys you time to decide and ensures that applications will feel minimal impact from any changes you make on the backend.

Cut deployment and licensing costs

Directory virtualization allows you to use any directory or data source to store your identity data. Many organizations use RadiantOne to bridge the gaps between the database and directory worlds, enabling the separation of protocol (LDAP) from underlying storage, where RDBMs often makes the most sense. Such a move could significantly cut deployment costs by allowing you to leverage your existing RDBMS investments and still derive all of the directory benefits. Many enterprises have also reduced licensing costs with this strategy by simply moving inactive users into a database, while still allowing applications to access a single directory with both active and inactive users.

Unify your identity infrastructures

Take better advantage of your AD investments: Use RadiantOne to gain a unified view into all your directories—one that’s cost-effective, non-intrusive, and easy to deploy. RadiantOne solves the challenges of authentication and authorization across disparate user directories by remapping certain aspects of your current directory infrastructure back to AD, without impact to existing applications.

RadiantOne: Highly flexible, plays well with everyone

For many enterprises, directory virtualization is a fast, cost-effective solution that provides protection and flexibility for the identity infrastructure—not to mention independence from some of the vendor dynamics discussed above. While this classical use case is still a strong driver, more and more organizations are turning to RadiantOne virtualization to find new ways to consolidate identity information and leverage existing IdM investments for new initiatives.

Identity organizations are enlarging their focus beyond GRC initiatives for internal populations, targeting higher-value externally focused initiatives that deliver new and better services to customers. But these high-volume, highly heterogeneous environments put new demands on your identity infrastructure.

RadiantOne bridges the gaps between the database and directory worlds, separating the protocol (LDAP) from the underlying storage. So customers can leverage their existing RDBMS investments, which are designed for high-volume storage, and still derive all the speed and security benefits of the directory. This makes RadiantOne a strategic infrastructure solution that supports current identity needs and scales up to meet tomorrow’s challenges.

I’d love to discuss how RadiantOne can make a difference to your organization. Send me an email at dschuller@radiantlogic.com, and tell me about your goals and challenges.

- Dieter Schuller, VP Sales & Business Development

Tags: , , ,
Posted in Market Trends and Analysis | 1 Comment »