Sponsor's Message - OctetString
What Every Application Needs (and wants for the Holidays):
Users!
Applications just aren't very useful without users.
Every application has its own requirements for user identity
information: authentication, authorization, personalization, and
differentiation.
With so many large stores of identities in LDAP based directories
and in relational databases, what's the problem? These repositories
were designed without knowing the requirements of your application
project. Too bad. :-(
OctetString's Virtual Directory Engine software products are
designed to rapidly integrate applications into diverse user
identity systems - quickly, easily, and cost effectively. Integrate
with existing enterprise data stores: whether internal or external;
LDAP or RDBMS; Microsoft, Sun; IBM, or Novell, unified or
distributed. No re-writing application code, no re- architecting
enterprise infrastructures. Just configure and deploy your
application.
Call us at 1-847-358-9358 or visit
www.octetstring.com today! Free evaluation software is available.
The team at OctetString wishes all readers of the DIM Report and
their loved ones a Joyous Holiday Season and a Happy New Year!
For more
information
|
| |
Dear Colleague,
Welcome to the latest issue of the DIM Report - bringing
you news and comment from the world of Directories and
Identity Management.
And welcome to the final issue of
2003. As some of the older readers will know, I very nearly
stopped doing the report as the time each issue took seemed to
get longer and longer, and pressure from other projects took
precedence. But I'm pleased to announce that as from January,
the report will be back to its original release schedule of
every two weeks.
However, in order to make the report
pay for itself, I'm going to have to increase the amount of
sponsorship opportunities, so you will be receiving the odd
one-off announcement from IdM companies advertising seminars,
webinars, white papers and the like. I promise to keep these
down to no more than two or three a month, and always make
sure they are related to IdM.
So, on to this report.
I've got a great article on the convergence between Meta and
Virtual directories by Michel Prompt, CEO of RadiantLogic,
some thoughts on the Liberty Alliance, all the usual industry
news, plus a bumper crop of IdM resources for you by way of a
seasonal gift!
Seasons greetings to you all, have a
great holiday and I hope the New Year brings you success in
all your IdM ventures!
Regards,
Dave Nesbitt
|
|
|
|
|
Are Virtual and Meta Directory on a Path for
Convergence? |
| |
By Michel Prompt, CEO, RadiantLogic
Identity management emphasizes the need for
integration, because implementing policies, providing
applications with identity profiles, and managing groups and
roles are only as effective as the quality and amount of
identity information available. For example, access to a
portal may require a security policy based on complex business
rules and real time criteria, information which is usually not
available in an enterprise directory. Identity profiles often
span preferences, attributes, and membership data from a
multitude of resources. The solution involves some type of
integration making diverse sources of information available to
identity management applications.
Virtual directories
and metadirectories are two approaches to building an
integrated directory, but why are they perceived as
technologies that are competing against each other? Both
aspire to do the same thing, namely make the directory more
useful by incorporating information from other locations. In
addition, they both synchronize data as well, although the
approach is much, much different.
It's easy to
understand how a metadirectory synchronizes. Take the value
from one data source and copy it to another (into a metadata
repository), and propagate the changes as necessary in a batch
process. In a manner of speaking, there's very little that's
"meta" about a metadirectory, because copying data in a
pre-defined manner doesn't require any meta- information (the
information that defines the data source). The data loses its
context of what it meant to the data source, and how it
related to other data.
Processing a large number of
changes can hurt metadirectory performance, because
directories optimize for the read operation, not the write.
Committing a randomly-accessed set of changes to disk takes
time (search for entry, read attributes, modify, and write
back to disk), and every change requires re- indexing the
attribute. A metadirectory has to perform writes for every
change that occurs, whether or not the directory entry is ever
accessed. As the amount of identity information grows,
workload and batch process time increases as the
synchronization grows larger and more complex, and scalability
can become a serious concern.
Now you're probably
asking, "So how does synchronization relate to virtual
directories?" A virtual directory service has to keep the
cached image of an entry synchronized with the data sources.
However, since cache resides in memory, there's no write to
disk, unless the cache is periodically backed up for faster
restoration from downtime. A virtual directory also removes
the need to synchronize everything, because only accessed
entries reside in the cache. Entries which are not resident in
the cache do not need to be synchronized when data changes
occur, since they are built on demand, using current data.
An interesting twist to this discussion is that some
implementations of virtual directories use meta information
about connected data sources (so that it knows how to access
the data source, understand the underlying schema, and how to
leverage the relationships that exist in the native data
source). So in many ways, a virtual directory uses more meta
information to build a directory service than a metadirectory
does.
Sometimes business logic has to be done before
the entry is ready, such as locating common identifiers in
multiple data sources before joining records together. In a
purely virtual environment, that could mean access delays, so
it would be advantageous to have this work done before hand.
In such cases, a metadirectory approach would be preferable to
handle the pre-access work.
So on one hand, a
metadirectory synchronizes by bringing everything to the
center (into a central meta repository) before being accessed.
A virtual directory dynamically accesses data, but leaves the
data at the edges (the data source) and synchronizes a cached
image on demand.. Each performs synchronization, but the
different approaches provide different benefits and
challenges.
It's becoming clear is that the most
flexible approach to identity integration comes from combining
the integration capabilities from the BEST of both worlds,
rather than being forced to choose one or the other. How can
IT organizations take advantage of both approaches without
having to manage both a meta directory and a virtual
directory? Radiant Logic pioneered the work in virtual
directory technology, and they've been thinking about the very
same thing - combining virtual and metadirectory together to
use the best features of each, and making them designed to
work in concert. This is design philosophy behind the new
features in RadiantOne 3.0. It's not called a virtual
metadirectory, but the concept's not that far off, and the
synergy produced a number of benefits to identity
infrastructure:
· Synchronize only what's needed, such
as identifiers and change-propagated attributes, and then
dynamically assemble the rest of the profile information on
demand.
· Keep the amount of synchronization work down
to a minimum, so that scalability isn't impacted by changes
that aren't ever used.
· Integrate at the virtual
layer, bypassing tightly coupled integration at the data
storage layer.
· Configure dynamic access or
metadirectory- like synchronization for entries down to the
attribute level, without making it an all-or-nothing
proposition.
· Optimize reads for high performance,
and implement writes with configurable levels of transactional
integrity.
· Enforce access controls for both
synchronized and virtual entries from a central location.
· Virtualize to present attributes in a schema
tailored for each application, rather than forcing the
application to conform to one used in the metaview.
To find out more about RadiantOne 3.0, visit http://www.radiantlogic.com,
or e-mail your questions to info@radiantlogic.com.
|
|
|
Testing Times for Liberty
Alliance |
| |
Here's the wording of a press release on the Liberty
Alliance website at the moment. "...The Liberty Alliance
Project, a group developing open standards for federated
network identity and identity-based web services, announced
that products and services from nine companies have
successfully passed the first Liberty-sponsored conformance
test. Ericsson, Nokia, NTT, NTT Communications, NTT Software,
Phaos Technology, Ping Identity, Sun Microsystems and
Trustgenix will be the first companies to have earned usage of
the 'Liberty Alliance interoperable' logo. Customers' ability
to select products and services branded with this logo will
not only save time and money in evaluating products, but will
help in testing product performance, and most importantly,
interoperating with trading partners..."
Good news for
Liberty, and for those companies passing the tests, but
something in the wording of the release and something I saw
and heard at the Digital Identity Conference got me thinking
about how carefully Liberty is going to have to manage its
message in the future.
We, the audience, were
listening to a very good overview of the Liberty specs from
Alex Stervinou of Liberty supporters, RSA Security. All was
going swimmingly until someone in the audience asked a
seemingly innocent enough question. The question was along the
lines of "how we will we, the end-user, know that our personal
information is being used properly by the Liberty Identity
Provider?" The answer was, quite correctly, that the Liberty
specs ensure privacy of identity data, but that the question
was raised at all, shows the concern amongst end-users as to
how their personal identity data is managed. Liberty
must ensure that this issue is handled with kid gloves
as they progress. All it will take is one nosey consumer
affairs TV or Radio show to get on the "another assault on our
Internet privacy" bandwagon, and all the technical specs in
the world won't help.
I don't want to sound too negative here, but I've always had
a slight suspicion that whilst Liberty is undoubtedly of tremendous
value to service providers (especially financial service providers)
who want to pass end-users onto partners in their circle of
trust, it has little real value to the end-user themselves.
Something along the lines of Passport (not necessarily Passport
itself), at least has an obvious benefit to me in my day-to-day
browsing. It cuts out the amount of passwords I need to remember
and gives me some limited SSO. But when asked in the future
by a Liberty- enabled Id Provider if I want to share my ID
data with other partners in their circle of trust, my natural
inclination will be to say "no thanks", or at least "what's
in it for me?". Judging by the reaction of others in the audience
at Digital ID, that would be the inclination of many others
too. This because my initial suspicions will be that my consumer
choice is being reduced as I am channeled to partner organizations
to take part in "loyalty" schemes (which most savvy consumers
now know are nothing more than market research devices), or
where my referral is rewarded in the form of commission to
the ID provider.
So well done all involved in Liberty for achieving this milestone,
but please keep the end-user's need at the forefront of your
planning. Because if end-users shy away from saying "yes"
to having their ID federated, then the whole project could
prove to be a complete waste of time.
Liberty
Alliance Press Release
|
|
|
Other News of Note |
| |
BT
wins multi-million pound NHS Care Records Service
contract: BT announced that it has been awarded a 10-year
contract, worth £620 million, with the UK Department of Health
as part of the National Health Service National Programme for
IT. As a National Application Service Provider, BT will
design, deliver and manage a national patient record database
and transactional messaging service which is critical to the
NHS Care Records Service.
RSA
ClearTrust Web Access Management Software Named Web Product of
the Year by Computing Magazine: RSA Security announced
that Computing magazine has named RSA ClearTrust web access
management software the "Web Product of the Year" in its
annual "Computing Awards for Excellence" competition. The
awards identify the highest standards of technological
achievement and are considered a benchmark for excellence
throughout the computing industry. RSA ClearTrust software was
selected based upon the product's features, performance,
price, market positioning, innovation and integration
capabilities.
MaX
ware Launches ExpresSync to Enable One-to-One Data
Synchronization to and from Any Data Repository or
Application: MaXware International announced the release
of MaXware ExpresSync, a cost-effective, one- to-one data
synchronization tool that enables enterprises to easily manage
ongoing information integration demands by securely moving
data between any two repositories or applications - regardless
of platform, protocol, type or location.
Netegrity
Survey Finds Web Services Deployments Held Back By Security
Concerns: Netegrity released the findings from a Web
services survey conducted with global 2000 organizations. More
than 50% of those surveyed indicated their organizations have
held back Web services deployments outside of the firewall due
to security concerns. In addition, nearly all of the surveyed
companies indicated that they are turning to several different
standards as they create their Web services security
architectures.
|
|
|
IdM Resources |
| |
Webinars
It's all gone quiet on the webinar front
due to the forthcoming holiday season, but I have managed to
find two archived presentations I don't think I've highlighted
before.
Oracle are demonstrating their credentials in a short 10 minute
overview of Idm available from the Oracle Identity Management
website. There is a link to the webinar at the bottom of the
web page.
Oracle
Identity Management
IBM are hosting a webcast on
the Gartner Vendor User Provisioning Selection Tool, which is
designed to help customers select the best vendor for security
provisioning. Called "Selecting the best User Provisioning
solution for your organization's needs" it features Gartner
Senior Research Analyst, David Gootzit (requires registration)
User
Provisioning Webinar
Papers
In keeping with the holiday season, I have a veritable cornucopia
of Idm papers for you to gorge yourselves on this issue -
enjoy!
Sun has an excellent paper on their Idm sub-site called "Network
Identity:Unlocking the Value of Web Services". This paper
addresses "...how Idm can make web services more useful to
your users - and more powerful for your business..."
Sun
Network Identity Paper
RadiantLogic have published an Integration Guide for their
RadiantOne virtual directory with Netegrity Siteminder. Even
for those who don't have either product, this document still
addresses some key concepts in Idm and is worth taking a glance
at.
RadiantOne/Siteminder
Integration Guide
Insight Consulting are a company
I've just discovered, but they have some excellent Infosec
resources on their website. Of particular note is a white
paper on Identity Theft I think anyone with a credit card
should take a look at.
Insight
ID Theft paper
Not strictly speaking a paper, but a very long and informative
article on the ZDNet website from Meta Group on the role of
Identity Management in Information Security. By the looks
of things, this is number one in a series, so worth bookmarking
the site for future articles.
ZDNet/Meta
Group Idm Article
Finally, something well worth
using if you are either developing an IdM solution, or trying
to build an IdM business case, is the OpenGroup Identity
Management Business Scenario. The Scenario explores the
requirements for identity management, the environment within
which it must exist, and the implementation architectures that
have been proposed for it. It's a real gem of a reference
paper.
OpenGroup
Idm Business Scenario
Case Studies
Finally, here are a few case
studies I hope you'll be interested in.
Netegrity have
published a new case study showing how the Australian
Department of Employment and Workplace Relations (DEWR)
deployed Netegrity IdentityMinder.
Netegrity
Case Study
Midrangeserver.com are hosting a very
interesting case study that shows how Cox Communications (one
of the largest cable operators in the US) deployed Courion's
PasswordCourier product.
Courion/Cox
Case Study
Federal Computer Week is hosting a
brief case study showing how the US Navy is using Oblix
NetPoint and Microsoft Active Directory for authentication.
Navy
eases network access
|
|
|
News In Brief |
| |
Novell
Announces Availability of Nterprise Linux Services 1.0:
Novell announced the availability of Novell® Nterprise Linux
Services 1.0. Delivering file, print, messaging, directory and
management services in an integrated package that runs and
will be supported on the SUSE* LINUX Enterprise Server and Red
Hat* Enterprise Linux distributions.
Novell
Delivers Secure Identity Management Solution to
RadioShack: Novell announced that one of the US's largest
consumer electronics specialty retailers, RadioShack
Corporation, is using a Novell Nsure secure identity
management solution, to extend paper-based business processes
to the Web.
Critical Path
Settles Litigation, Restructures Certain Leases: Critical
Path announced that it has reached a settlement of the
litigation brought by MBCP PeerLogic LLC and several other
former shareholders of PeerLogic.
AXA
Financial Deploys Oblix NetPoint: Oblix announced that AXA
Financial, Inc. has deployed the Oblix NetPoint® Identity
Management and Web Access Control for user authentication and
authorization.
Vordel
and Oblix Enable Secure Business Integration: Vordel and
Oblix announced the integration of VordelSecure with Oblix
NetPoint, to provide a standards-based integrated XML security
solution. The integration work was implemented using the SAML
(Security Assertions Mark-up Language) protocol.
NetPro
Brings eDirectory Monitoring to Microsoft Operations
Manager: NetPro announced the NetPro eDirectory Management
Pack for Microsoft Operations Manager (MOM). The NetPro
eDirectory Management Pack provides monitoring of Novell
eDirectory through the MOM console.
Sun
Completes Acquisition of Waveset: Sun announced that it
has completed the acquisition of Waveset. Waveset is will
become part of Sun's Software organization under Jonathan
Schwartz, executive vice president, software.
Netegrity
Announces Support for Oracle: Netegrity announced support
of Oracle Identity Management to allow organizations to
implement access management, Web single sign-on, user
administration, and provisioning.
Courion
Posts 30 Percent Growth for 2003: Courion announced that
it had closed the year realizing 30 percent growth over the
previous year.
Ping
Identity and HP to Extend Federated Identity Management:
Ping Identity Corporation and HP announced that they are
working to accelerate development of the Ping Identity
SourceID Federation Platform. HP also plans to use SourceID to
build a Liberty-derived into its HP OpenView Select Access
identity management software.
Thor
Technologies Secure Enterprise Provisioning Software
Integrates with Oracle Identity Management: Thor announced
the integration of its Xellerate secure enterprise
provisioning software with Oracle's Identity Management
solution.
TruLogica
Announces Partnership with Project Performance
Corporation: TruLogica announced it has partnered with
Project Performance Corporation (PPC), a McLean, VA-based
provider of Identity Management and enterprise solutions.
|
| |
