Directory informationname, address, employee number, salary, reporting structure, cube location, phone number and the likeis by its nature highly sensitive. eWEEK Labs has found that in most organizations with which it has worked, control over identity information is highly political. Business managers are often reluctant to change access control systems that work, regardless of any possible cost savings that may accrue if exclusive control were to be relinquished.We say "projects" because virtual directory products are really a platform into which applications and data sources are hooked. As projects are defined, what comes into focus is the great variety of attributes that create a unique identity. It also becomes clear that this information is stored in a great many places and that bringing this information together will not be easy. Virtual directories use LDAP calls and SQL statements, along with a blend of scripting tools, to transform identity data and present that data correctly to applications and services. For example, a CRM package used by an international company may expect user names in the United States to appear in the form "first name/last name" and in Europe to appear "last name/first name." Rules created by IT in the virtual directory make this data presentation happen correctly in both instances. Further, IT staff need to write these types of rules only in the virtual directory product, as opposed to in every API. By reducing the number of places IT staff need to make custom connections, virtual directory tools can significantly reduce application implementation costs. Aside from these efficiency gains, virtual directorieswith their ability, through either a cache or proxied connection, to provide rapid access to the most current identity datawill likely improve directory access reliability, scalability and security. Virtual directory tools can augment only the capabilities of the data sources to which they connect, however. And these data sources must be in a redundant configuration to provide failover and load balancing capabilities. eWEEK Labs tests have shown that if redundant systems are in placein carefully architected data environmentsvirtual directory tools can make directories scale further by efficiently routing requests for identity data. For example, an application that asks for all user names starting with "s" could be routed at a low priority to protect directory bandwidth. Similarly, virtual directories can act as a directory firewall by placing required data in a virtual space without providing direct access to all the data sources. A virtual directory implementation at Sandia National Laboratories shows that this configuration could more securely provide authorized identity data to trusted partner facilities while ensuring the protection of the directories and databases that store the data. Labs Technical Director Cameron Sturdevant can be reached at email@example.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
This means that implementation of virtual directory projects will need to be phased in over a period of months, or even yearsnot for technical reasons but for organizational concerns. With this time frame in mind, IT managers should focus immediately on the nuts and bolts of virtual directories to ensure that such projects succeed.