Sponsor's Message - OctetString
Creating a secure application environment requires
integration of existing user identity information. For some
companies, that information is contained in databases. Others use
LDAP directories or Windows Domains. For most, this information is
scattered across multiple locations and multiple services. How can
an application effectively leverage the information it needs for
secure authentication and authorization in an ever- changing
enterprise infrastructure?
OctetString's VDE Directory Suite provides Internet and industry
standard LDAP and XML views of existing enterprise identity
information, without synchronizing or moving data from its native
locations. This accelerates the deployment of applications and
reduces costs by eliminating the need to constantly adapt
applications to a changing identity landscape as user populations
are added, changed, or removed.
Some common application to directory integration challenges that
VDE addresses are as follows:
Multiple Directories:
Most LDAP Enabled applications, expect all directory data to be in a
single repository. Often it is not. Since the typical application is
not able to connect to multiple directories, VDE is used to
"federate" multiple directories into a single "Virtual Directory"
that applications can easily connect to.
Adding
Attributes to Enterprise Directories: Most applications, have
unique directory attributes that they want to add to enterprise
directories. Directory administrators are resistant to add
attributes to a directory schema that they worked hard to
standardize. Adding more attributes causes "schema bloat" and makes
the directory more complex and "brittle" and more subject to
performance degradation. VDE enables an application to have it's own
localized attributes instead of being limited to or having to add to
corporate enterprise directory schema.
UID Data in Data Bases: Many companies have not fully
adopted directory technology and maintain much, if not all, of their
user identity information in relational database systems. LDAP
enabled applications, can not directly leverage these assets. VDE
provides a solution for mapping database objects into LDAP objects
so that applications can make use of these existing RDBMS resources.
Incompatible Directory Formats: VDE can normalize
schema and merge namespaces in a form optimized for any application.
This means directory formats that an application does not readily
connect to can be made to appear like directories that the
application connects with easily.
To learn more about VDE or
to download a fully functional free evaluation copy, please visit
www.octetstring.com or call 847-358-9358.
For more
info...
|
| |
Dear Colleague,
Welcome to the latest issue of the DIM Report - bringing
you news and comment from the world of Directories and
Identity Management.
This issue we've got all the usual bits plus some more good
IdM resources and articles, a preview of the forthcoming
Catalyst conference, and some stuff on Sun's latest Idm
announcements. The main feature is an article by me about
Meta vs Virtual directories. I've been wanting to write
this for a while now, and as my friends at OctetString are
sponsors for this issue, I thought the timing was perfect.
If anyone would like to submit a piece for consideration
as the main feature, the only rules are it must be IdM-related,
under 800 words and not blatant propaganda for your product
or service.
Also, as I mentioned last issue, I attended the SQLSoft/Oxford
Computer Group Microsoft Metadirectory 2003 training course
the week before last. The course was excellent, and MMS
2003 (shortly to be MIIS 2003) is a serious piece of kit.
IBM, Novell, Sun be warned - Microsoft want a piece of the
Idm space, and MIIS is the knife they'll carving it out
with!
Regards,
Dave Nesbitt
PS. Thanks to Fred Weichselbaum of OctetString for
answering my question about DirXon last issue. Apparently
DirXon are now known as "Ensynch".
|
|
|
|
|
Meta or Virtual, or Both? |
| |
A few years ago (10 to be precise, about the time of
the X.500 (93) specification) there was a grand vision of
thousands of interconnected directories sharing identity information
across organizational and geographical boundaries. Unfortunately,
this vision could never keep pace with technological change,
and it never happened. Then, in about 1997, another vision
(albeit more modest) took its place. How about if we could
at least synchronize the identity data within our organization
and make this data available to applications that need it?
This would save us lots of time and money, and would help
overcome the problems of bad data in the process. Thus, the
metadirectory was born.
Unfortunately in most large organizations, even those with
metadirectories, managing and synchronizing identity data
was still running out of control. More and more applications
needed access to the data, and more often than not it made
more sense to allow these applications to run off their
preferred datastores, rather than force them to make remote
LDAP calls into a meta or enterprise directory. Thus, the
virtual directory was born. And to some observers it seemed
as if the metadirectory's time had been and gone. But has
it? Does a virtual directory really replace a metadirectory,
or can the two technologies actually complement each other?
Let's try and answer this question by first defining each
one in turn, then considering when one has the advantage
over the other.
Metadirectories
A metadirectory is a service that collects identity information
from different data sources throughout an organization and
then combines all or part of that information into an integrated,
unified view. It can then push the combined information
back out to these data sources once any business logic has
been applied. A metadirectory sits below these data stores:
it takes their data, cleans it up and pushes it back out
again. Most often, metadirectories are event- driven, batch
processes that run overnight catching up with the changes
of the previous day. The following diagram illustrates this
idea:
Virtual Directories
Virtual directories solve a similar problem
to metadirectories - access to scattered identity data -
but it is a subtly different problem. The cost and problems
associated with allowing identity datastores to proliferate
at will across the enterprise is now well understood, but
what is needed now is a way of allowing applications access
to existing identity data, when that data may reside in
incompatible stores, with incompatible schemas and protocols.
This is where the virtual directory comes in. Rather than
sitting below the datastores, virtual directories fit between
the datastores and applications that need to use them, smoothing
out any schema or other compatibility issues. Rather than
running as an overnight batch process, virtual directories
typically allow real-time access to the underlying data.
The diagram below shows the difference:
When Meta is Better
Metadirectories are strategic solutions and
are best where speed of access to changes in data is not
critical, but accuracy of the data is. Consider the hire/fire
scenario in a typical organization. Do we really need to
have instantaneous provisioning of accounts, or creation
of email addresses? Can't we wait 24 hours for changes to
the email list in one country to update across all regions
following the arrival of a new accounts clerk? On the other
hand, can we really take chances with sensitive and critical
data in HR or CRM systems? Shouldn't this data be managed
with the greatest care and attention?
When Virtual is Best
Virtual Directories are tactical solutions
and come into their own when real-time access to identity
data in disparate data stores is needed. Customers or partners
using a self-registration web application aren't going to
be too impressed if they have to wait around for 24 hours
for their new account to be activated. Virtual Directories
also typically take days to deploy, rather than weeks or
months needed for a complex metadirectory project where
care and attention to detail are vital.
Conclusion - use both!
I'm sure that most of you by now will have
reached the same conclusion as I. Use both! Use metadirectories
to get your Identity data clean, accurate and synchronized.
Use Virtual Directories to get that data in front of the
applications that need it without having to deploy yet another
database or directory. If ever in doubt, try to remember
this simple formula: virtual=tactical, meta=strategic, virtual
+ meta=a perfect world.
Dave Nesbitt
|
|
|
The Sun Rising |
| |
Appropriately for the summer solstice weekend, Sun are
definitely on the rise again in the Idm world. After a few
quiet months, two new features on their web site, (timed to
remind us of some forthcoming product releases), show that
they are well aware of the need to keep abreast with IBM,
Microsoft, and Novell.
The first piece is entitled "Network Identity Enables Secure
Collaboration in Government" and is targeted at IT professionals
within Government Departments struggling to find technology
solutions to the demands placed upon them by the current security
climate. Naturally enough at times like this, knowing who
someone is, and what they are entitled to do, takes on even
more significance than normal. But even, or perhaps especially,
in times of heightened security, government business has to
go on as near to normal as possible, and management will expect
technology to provide the answer. As an answer to these problems
Sun recommends the Sun Infrastructure Solution for Network
Identity, a set of hardware, software and consulting services
with open standards - and especially the Liberty Alliance,
at its heart.
Network
Identity Enables Secure Collaboration in Government
The second piece is a "special report" timed to coincide
with Java developers conference and gives advance notice
of forthcoming releases in the Sun Idm product suite. There's
a distinct web services spin to this report, which is entitled
"Sun Microsystems Delivers Secure Identity Infrastructure
for Java Web Services". This title doesn't really gel with
the body of the document to me, which is mainly about Idm,
not web services per se. It may possibly be designed as
a bait to get some web services developers reading about
Idm This is a good idea imo - some of them need reminding
that Idm is one of the main drivers for web services, not
the other way around.
Sun
Microsystems Delivers Secure Identity Infrastructure for Java
Web Services
|
|
|
Catalyst is Coming |
| |
It's only just over two weeks until this year's Catalyst
North America and judging by the agenda on the Burton Group
website, it's shaping up to be a good 'un. Unfortunately,
I won't be there as The DIM Report T&E budget doesn't
stretch to transatlantic flights to San Francisco just yet,
so I'd be grateful if anyone attending would like to volunteer
to be my inside source. There'll be no financial rewards,
just the warm glow that comes from a job well done and seeing
your name in print, plus an exclusive DIM Report t-shirt (once
I get them printed). Mail me at the usual address if you'd
like the job.
The conference is split into two tracks, organized along
similar lines to the Burton Group practices - Directory
and Security Strategies, and Network and Telecom strategies
- and takes place over three days. According to Burton Group,
the Directories track will "...focus on the foundation for
inclusionary security: enterprise identity management (Idm)..".
The agenda for this track is as follows:
· July 9 - Managing the Identity Life Cycle:
Provisioning and Process
· July 10 - Putting
Identity to Work: Roles and Federation
· July 11 -
Platforms and Integration: Building Secure Web Services
Each day comprises a series of presentations from
Burton Group Analysts/Consultants, Enterprise Customers,
Industry Vendors, Technology Pioneers and Explorers, and
Standards Bodies, and concludes with a roundtable open forum.
Vendors represented include: Novell, IBM/Tivoli, Waveset,
Business Layers, Critical Path, M-Tech, Oblix, Thor,
Microsoft, PingID, RSA and many others.
Burton
Group Catalyst
|
|
|
Articles, more articles... |
| |
It's fast becoming the tradition that the fourth article
is where I reveal the results of my regular web-trawling for
the latest and greatest pieces of Idm info. Not wanting to
be called an iconoclast (although it wouldn't be the first
time), I offer the following for your entertainment and education.
First up is a short piece
from the ever-productive Dan Blum of The Burton Group on some
issues around Federated ID entitled "SAML, Liberty offer
Identity Gains". In this article Dan suggests that people
rolling out new applications and security infrastructure make
SAML a mandatory capability. Vendors in this space who don't
yet support SAML might want to pay some attention to his call.
The
Dan Blum article
Next, Waveset have a very handy "Buyer's Guide to Idm"
available for download from their website. Although the
document does contain some marketing info about their products
(as you would expect), it also contains some excellent information
on Idm as a whole and provisioning in particular. An extra
bonus is that there is no requirement to register to get
hold of it - thank you Waveset!
The
Waveset Idm Buyers Guide
Finally, the latest chapter of Archie Reed's excellent eBook
on Identity Management is available on the Rainbow Technologies
website. You do need to register for this, but it's well
worth it. The latest chapter is dedicated to Idm standards
and provides explanations of common industry standards and
protocols such as DSML, SOAP, WSDL, UDDI, SAML and SPML.
The Idm eBook
|
|
|
In Brief |
| |
Novell
Unveils its Strategy for Delivering Secure, Directory-enabled
Web Services with Novell exteNd and Nsure Solutions: Novell
unveiled its strategy for building advanced Web applications
with its Novell® extend and Nsure solution families. According
to the press release "...The Novell extend suite, acquired
with SilverStream Software, enables IT organizations to rapidly
build applications that integrate existing systems and deliver
dynamic, interactive portal solutions. Novell Nsure helps
businesses get the right resources to the right people - anytime,
anywhere by simplifying the management of user identities
and securing access to enterprise applications..."
NetPro
Joins HP OpenView Solution Alliance Program: NetPro has
joined the HP OpenView Solution Alliance Program as a Solution
level Partner. The alliance is based around the integration of
Netpro's Active Directory Suite with HP Openview.
O2
UK Realizes Rapid ROI from Courion's Identity Management
Solutions: Courion announced that mobile operator O2 UK
has selected and successfully implemented Courion's
PasswordCourier® for enterprise-wide password management.
According to the press release, the deployment has already
reduced the average number of monthly calls to O2 UK's
consolidated service desk by over 50% from 1,114 to 461.
Aelita
products receive certification for Windows Server
2003:Aelita announced that it has fulfilled the Windows
Server 2003 certification requirements for three products:
Aelita® Enterprise Directory Manager (EDM), ERDisk for Active
Directory and ERDisk for Windows.
Westinghouse
Electric Company Has The Power To Protect Information Assets
With RSA Security: RSA Security announced that
Westinghouse Electric Company has selected RSA ClearTrust® Web
access management software and RSA SecurID® two-factor
authentication software to help ensure that only authorized
personnel have access to sensitive and proprietary business
information.
ASB
Bank Selects RSA® Mobile Two-Factor Authentication For
Internet Security: RSA Security announced a technology
partnership with banking service and technology leader, ASB
Bank, to implement RSA® Mobile two-factor authentication
software. The agreement allows ASB Bank to develop a range of
security options for its customers around the rapidly growing
online banking market.
Thor
Technologies® Brings Access Rights Provisioning Capabilities
for mySAP ERP Suite-powered Enterprises: Thor Technologies
announced that it has integrated its flagship Xellerate
software with SAP AG's mySAP ERP suite, adding user access
rights provisioning capabilities.
Oblix
Continues EMEA Expansion Plan with the Opening of Dedicated
Benelux Sales Office: Oblix announced that it has opened a
sales office to focus on the growing Benelux IT market. This
market is forecasted to reach nearly 26 billion Euros in 2004,
according to the 2003 European Information Technology
Observatory Yearbook, produced in cooperation with IDC.
|
|
|
Events |
| |
The
Open Group: "Open Standards - Open Source": 24- 25 June,
Minneapolis, MN
Catalyst
North America: Jul 9 - 11, San Francisco, CA
OpenLDAP
Developers' Day: Jul 18, Vienna, Austria
CA World 2003:
Jul 13 - 17, Las Vegas, NV
NetPro
DEC AD Fall: Sep 14- 17, Ottowa, Canada
Catalyst
Europe: Oct 7-9, Barcelona, Spain
ISSE (Information Security
Solutions Europe): 7-9 Oct Vienna, Austria
Digital ID
World Conference 2003: 15-17 Oct Denver, CO
|
| |
