The next big thing in identity management is virtual directories. And we do mean big: big potential for big returns, with big questions still remaining.
Virtual directories can significantly change the way identity information is used in midsize and large organizations and can reduce the technical and cost barriers of identity management. However, IT managers must commit to centralizing application access to authoritative data sources—no small task in todays global work force.
Virtual directories are software tools that connect to identity data in a variety of authoritative sources, including LDAP directories and databases. Virtual directories broker requests from applications that need access to this identity information. Metadirectories, in contrast, create copies of directory data, resulting in a usually costly infrastructure of replication and synchronization procedures to ensure that data is current. Virtual directories ultimately rely on the original data source for identity information.
Virtual directories also have the potential to lower licensing costs over products like metadirectories that are based primarily on synchronizing data from many sources into a central authority. However, additional features, such as data reconciliation and identity mapping among information sources, can easily drive up virtual directory costs.
Virtual directory tools act as a go-between for data repositories and applications. To the application, the virtual directory appears to be a customized directory that supplies precisely the identity information the application requires. To data repositories, the virtual directory appears as an application that asks only for information that the repository can supply.
At the end of the day, virtual directories make it possible for IT staff to implement new enterprise applications—such as human resources, CRM (customer relationship management) and e-mail—without creating a whole new user credential store to control access.
Virtual directories ability to monitor and record user access also could help businesses comply with the audit requirements embodied in regulations including HIPAA (Health Insurance Portability and Accountability Act), the Graham-Leach-Bliley Act and the Sarbanes-Oxley Act.
In fact, IT managers who decide to evaluate virtual directory technology are well advised to look at the regulatory compliance aspects of these products as a way to get executive sign-off. After the products are in place, IT staff likely will be able to drive significant identity management costs out of application implementations. For these cost savings to become reality, however, IT managers must convince other divisions in the organization that centralized identity management can work.
Directory information—name, address, employee number, salary, reporting structure, cube location, phone number and the like—is by its nature highly sensitive.
eWEEK Labs has found that in most organizations with which it has worked, control over identity information is highly political. Business managers are often reluctant to change access control systems that work, regardless of any possible cost savings that may accrue if exclusive control were to be relinquished.
This means that implementation of virtual directory projects will need to be phased in over a period of months, or even years—not for technical reasons but for organizational concerns. With this time frame in mind, IT managers should focus immediately on the nuts and bolts of virtual directories to ensure that such projects succeed.
We say “projects” because virtual directory products are really a platform into which applications and data sources are hooked. As projects are defined, what comes into focus is the great variety of attributes that create a unique identity. It also becomes clear that this information is stored in a great many places and that bringing this information together will not be easy.
Virtual directories use LDAP calls and SQL statements, along with a blend of scripting tools, to transform identity data and present that data correctly to applications and services.
For example, a CRM package used by an international company may expect user names in the United States to appear in the form “first name/last name” and in Europe to appear “last name/first name.” Rules created by IT in the virtual directory make this data presentation happen correctly in both instances. Further, IT staff need to write these types of rules only in the virtual directory product, as opposed to in every API. By reducing the number of places IT staff need to make custom connections, virtual directory tools can significantly reduce application implementation costs.
Aside from these efficiency gains, virtual directories—with their ability, through either a cache or proxied connection, to provide rapid access to the most current identity data—will likely improve directory access reliability, scalability and security.
Virtual directory tools can augment only the capabilities of the data sources to which they connect, however. And these data sources must be in a redundant configuration to provide failover and load balancing capabilities.
eWEEK Labs tests have shown that if redundant systems are in place—in carefully architected data environments—virtual directory tools can make directories scale further by efficiently routing requests for identity data. For example, an application that asks for all user names starting with “s” could be routed at a low priority to protect directory bandwidth.
Similarly, virtual directories can act as a directory firewall by placing required data in a virtual space without providing direct access to all the data sources. A virtual directory implementation at Sandia National Laboratories shows that this configuration could more securely provide authorized identity data to trusted partner facilities while ensuring the protection of the directories and databases that store the data.
Labs Technical Director Cameron Sturdevant can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.