Day 2: Lets get back to basics

The first half of Thursday was focused on enterprises looking for ways to achieve efficiencies and ROI through their IdM deployments, an outcome that had lost its relevance in the rush to achieve compliance objectives. But the current economic climate, and the slew of M&As (mainly As) and layoffs has brought this to the forefront once again, and sustained market interest in IAM when other initiatives are being pared back.

The day was a very good one for hearing about how customers were leveraging their IdM deployments in creative ways.

• I heard some interesting use cases of how Virtual Directory was being used to achieve efficiencies.
  • Companies are using Virtual Directory to expose the same identity data in different forms for different use cases.
  • The presenter from Sony talked about using Virtual Directory on top of geographically local LDAP servers to provide global access to data while satisfying their data compliance needs.
• There were a couple of sessions on managing UNIX infrastructure via AD (which is when I ducked into the cloud computing track).
• Wendy Booker of SunTrust Banks described how they used the cost savings (which they had to demonstrate and prove) from their IdM deployment to self-fund their project, which was a story I am sure more than a few attendees were interested in.

What I found really great was that a lot of the sessions were presented by organizations that had moved on to the 2nd or 3rd phases of their identity management program rollouts. This is quite different from all the previous conferences (Catalyst and others) I have been to, and speaks to the maturity of the market and some of these deployments.

The second half of the day was focused on identity transparency and governance. One of the most important points of the conference was made by Chris Howarth in his excellent kickoff talk, when he said that identity management must facilitate both hierarchical organizations that are necessary to implement enterprise controls, and social networks that are necessary for collaboration to take place. A lot of the discussion in the following talks were focused on the need to increase transparency with respect to how identity data is used, managed and secured to allow for accurate risk assessment and compliance to take place (echoing what was discussed in the cloud computing SIG). And increased transparency only works when complexity is reduced (preventing opacity from just being replaced by obscurity), an architectural requirement that aligns nicely with the identity services vision discussed on day 2.

Day 2 ended with the second night of hospitality suites, including Oracle. We got such a crowd in the Oracle suite that I barely managed to leave it for a few minutes to meet up with some old friends and colleagues in the other suites. And I made some good friends that day (and into the night – not a topic for this blog). I will say that celebrating Ian Glazer’s birthday at a speakeasy called Prohibition was very cool, even if they didn’t ask me for the password.

Day 3: Identity and Privacy are Blood Brothers

Day 3, while just a half day, still packed a solid punch with lots of intellectually stimulating discussion on the topic of privacy. Ian Glazer made a good point at the start of the conference when he said that the identity community is uniquely qualified to deal with the emerging privacy issues. And the sessions on Friday laid out exactly why. The key point made was that Security (making it difficult to get to something you shouldn’t have access to) should not be confused with Privacy (making it easy to get to something you should have access to). They are related, but not the same thing.

Robin Wilton gave an inspiring talk in which he laid out a framework for having productive privacy discussions with the multiple stake-holders involved. He arrived at this framework by analyzing the results of a series of round table discussions held around the globe as part of the Liberty Alliance Privacy Summit to get contextual understanding of privacy. Robin laid out a “Ladder” framework (Philosophy | Strategy | Implementation | Technology) that helps the parties involved focus on the use cases and issues to resolve. I hope he makes his presentation publicly available in some format in the future, because really is a great piece of work.

Bob Mocny, Director of the US-VISIT program, talked about some of the identity and privacy issues involved in running the single largest biometric authentication program in the world. One of the key takeaways from his and the follow-up sessions was the need for organizations to implement privacy audits as separate programs from their IT-Security audits.

Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ, gave an interesting talk about the lessons learned during Georgetown’s efforts to  handle a privacy breach. What I found fascinating was how they went about trying to create and enforce a policy on the use, collection and retention of SSNs. Their findings on how far the data was “leaking”, how hard it was to track down all the possible data flows, and how users went to great lengths to hide their mistakes were a lesson that every enterprise should be aware of. It also highlighted the challenges the extended enterprise, working with business and IT partners and services providers, faces in locking down privacy issues.

The day ended with Google talking about how they protect the privacy of their users. It may have only been a half-day, but the quality of content made it a fitting way to end a thought provoking conference. Look forward to what the next one has to bring.

Tags: Breach Remediation, Burton Catalyst Conference, Catalyst09, Identity Governance, Ladder Framework for Privacy, Privacy, Privacy Audits, Virtual Directory

I did not in any way mean to imply that the majority of applications that are coming out with support for AD do so using a Virtual Directory. What I was actually trying to say (poorly in the end) was this: “And how are more applications looking to support AD anyway? A lot of that has to do with the emergence of Virtual Directory solutions”. Let me talk about this separately in the context of Custom and COTS applications.

There are a large number of custom enterprise applications that support LDAP that were tied to a particular directory, usually something non-AD (most application developers would develop against free LDAP systems like Sun). This was a reality that proved to be a boon for provisioning vendors (like us), but a curse for provisioning implementers, as we then played the role of populating these non-AD directories from the main AD infrastructure. A lot of those same applications are now looking to support AD in addition to (or in place of) what they already supported OOTB, and from what I see, they are doing so by shifting to a Virtual Directory based approach. This shift seems to be specific to custom in-house applications (where Virtual Directory lock-in, a great point raised by Jeff Bohren, is not considered as big of an issue) and is prevalent in heterogeneous directory environments, where AD may be dominant, but is not the only directory available. Virtual Directory provides a nice abstraction to avoid having to deal with the heterogeneity of the environment, and allows consolidation of the spread out data into a single view. This is not really a concern in pure AD shops, but there are few large enterprises that are purely AD.

As for COTS application vendors, I mentioned what Oracle is doing with regards to their strategy on how to support multiple directories. And from talking to a few other application vendors, they are also tired of having to maintain connectors for every single major directory out there. This is one of the main reasons why there is an on-going effort to see if Oracle Virtual Directory can be made an embedded component (as opposed to its own server), something that is part of the middleware stack, so that it can act as a “directory connector” service in the application environment, freeing up applications from having to code against the idiosyncrasies of the individual directories. It is also a reason why so much emphasis is being put on some of the standardization efforts in Higgins and IGF.

Now, this is not to say that a lot of applications are not being built to go directly against AD, with little regard for other directories. All I meant was that from my vantage point (and it may be a skewed one because we are Oracle, so I am more than happy to have people contradict me or correct me on this), a lot of people are looking to support AD without getting locked into AD, and that is driving demand for both OVD and other alternatives.

James asked some good questions with regards to what Oracle is looking to do to help resolve this issue. I’ll get to those in my next post.

Update: Clayton has chimed in with some articulate and well-thought through responses, complete with examples, to this whole discussion. I should have just waited for him to come back and take this up instead of sticking my little neck out there

Tags: Active Directory, Virtual Directory

First, he outlined a use case that he (I think) postulates is best solved by Metadirectory. I won’t recount the whole use case here (read his post to get it), but it involves three identity stores (HR, AD, and a DB) and synchronization between them of attributes that each one is authoritative for. My answer to his question “Is a virtual directory the best solution to meet these needs?” is “No, it isn’t, but Virtual Directory + Provisioning is”. Which is exactly what my post that he was replying to posited.

Now, I’m not trying to be glib here. Metadirectory can definitely solve this use case. But it will be a point solution. The “Aging” that Matt refers to comes into play when you consider that this use case will inevitably be added to with requirements for approval workflows, compliance and privacy controls and upgrade issues. Metadirectory (and Virtual Directory alone) would never be the right solution for those needs because (like Virtual Directory) it is simply an IT tool lacking the Business layer that Provisioning provides. So, the solution will require provisioning. In my experience, there is always a need to look forward to what is coming next before deciding on the solution, which is why in my (relatively medium-term) career, I have seen way too many customer requirements that try to bolt-on provisioning onto an existing metadirectory deployment because it was falling short. A number of times, the metadirectory was stripped down to a mere shell of itself as most of its functionality was moved into the provisioning solution.

I may be biased here (coming from a provisioning background), but nobody is simply looking for point solutions any more. And in any case, my hope is that eventually all of this will go away as we move to Service-Oriented Identity (as Burton calls the Identity Services concept).

Matt goes on to state:

There has been a ground swell of apps that directly support Active Directory as the user store. So, maybe the next versions of the HR and LOB apps in the above scenario would attach directly to AD eliminating the need for any solution here. As prevalent as AD has become, that seems more likely than mass-consumption of virtual directory technologies. And it’s probably what Jackson was alluding to (Quest enables *nix systems to leverage AD).

Well, from the standpoint of a deployer/implementer, I can certainly understand the attraction of the above. But as a product architect and technologist, all I can say is “No, No, No”. Why would we want to tie ourselves into a non-competitive, no-way-out scenario that we see repeated over and over in the OS and Mobile Provider worlds? Choice is necessary, nay vital, to innovation and growth. The minute you lock yourself into a single provider model, you are doomed to forever be curtailed by what that provider dictates. Virtual Directory provides a nice abstraction that frees you from having to make these very decisions on which directory to support (something LDAP was supposed to do, but didn’t).

And how are more applications supporting AD anyway? A lot of that has to do with the emergence of Virtual Directory solutions. A number of applications in the Oracle stable today claim to support AD as the identity store. The mechanism for all these is moving to Virtual Directory NOT because Oracle has a Virtual Directory product, but because maintaining adapters/connectors/plugins and what have you for all LDAP variants is a colossal nightmare.

Metadirectory is aging, but the IdM industry is a lot like the ruthless fashion world, where age has no place except for a few niche areas.

Tags: Active Directory, Identity Services, Metadirectory, Provisioning, Virtual Directory

“Let’s be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead.”

Kim Cameron questioned this in his response. The flaw in his argument (imo) is in lumping directory and metadirectory technology together. Nobody is saying that the directory is dead. It still is (and will continue to be for the foreseeable future) the best storage mechanism available for identity data. What is being said is that the metadirectory approach of taking directory based storage and adding centralization processes and technology (the synchronization, arbitration and flattening of data inherent to the metadirectory story) doesn’t make sense in the brave new world of identity services we are moving towards.

Centralization of data still exists, and will continue to for some time to come. But for a while now, the solution there has been provisioning technology, not metadirectory (see my previous blog post on this topic). Provisioning adds a crucial overlay of policy, controls and process onto the rationalization of identity data (centralization being a byproduct of this).

Where workflow and process are not needed there is no longer a need to centralize, as virtual directory technology provides a scalable, manageable solution far superior to what metadirectory used to provide. Oracle (for one) recognized this a while ago when it bought the technology that became Oracle Virtual Directory.

Virtual directory technology is fast becoming the underpinning of the “identity bus” (as Kim calls it) in an Identity Services based architecture. It provides a services interface that pulls the identity data from where it sits, and transforms it into the claims that the consuming application is interested in. It acts as an abstraction/indirection layer between the identity producer (HR, CRM, Corporate Directory, you name it) and the identity consumer. It also acts as a gatekeeper, ensuring that data use is authorized and policy-compliant. Oracle’s efforts at defining the IGF standard is an attempt to add much needed controls into that interaction of producer and consumer, and OVD is on the very frontlines of this effort.

As always, the mantra should always be to choose the right tool that solves you problems. An Enterprise’s best bet is to put in place an infrastructure that is a nice blend of provisioning and virtual directory. This infrastructure will continue to evolve as the vision for Application-Centric identity evolves.

Tags: Application-Centric IdM, Identity Governance Framework, Identity Hub, Identity Services, IGF, Metadirectory, Oracle Identity Management, Provisioning, Virtual Directory