04 Nov 2009
November 4, 2009

Manage Globally. Act Locally.

0 Comment

How identity and context virtualization will change the way we manage identities

My company invented the virtual directory to help take the complexity out of IdM. And now we’ve expanded on that idea to deliver a complete integration solution we call “identity and context virtualization.” I’d like to take the opportunity to explain what it is and why we developed it.

First off, when I say “IdM,” I mean it in its largest sense. While governance, risk, and compliance for internal populations is important, the larger and more rewarding task is helping you integrate high-value, heterogeneous identities for externally-focused initiatives, such as WAM, federation, SaaS, and more.

With that in mind, we’ve all got identities to integrate and new architectures to support.
But right now, the elements of identity are scattered across directories, databases, and applications. Reaching across all these heterogeneous, distributed data silos to aggregate and synchronize identities has proven nearly impossible.

So how do we solve today’s integration challenges and lay the groundwork for tomorrow’s modern architectures, such as user-centric identity, Identity-as-a-service, and the cloud? In short, we need to manage globally and act locally. By this I mean that we need to deliver a global view of identity, while we enforce security at the local level, as close to the sources of services as possible.

And this solution needs to be easily deployed and scalable, since nothing’s getting simpler in the world of identity, things are only growing more complex at every level.
But how can we fill such a tall order? Well, we begin with the idea that those who do not understand history are doomed to repeat it.

What won’t work: Wait and see vs. tear it down and start over

Some see the gap between the present and the future and urge caution, saying let’s wait and see what happens. Others want to throw away the current identity infrastructure and build something completely new.
But we can’t wait when it comes to staying productive and maintaining a competitive advantage. And we can’t afford to blow up what’s already there and build an entirely new infrastructure-yet another silo-to take us into the future.

Learning from the past to innovate for the present and future

So we took more pragmatic, evolutionary approach, using what we already have to develop an infrastructure with the future built in. To do that, we revisited an old idea-the metadirectory-and a newer idea-the virtual directory as a proxy-and combined the best of both worlds. The result is a solution that solves the identity integration challenges we’re facing now, while building the right foundation for all those potentially rich future applications, such as user-centric identity, IDaas, and the cloud.

Identity and Context Virtualization: The Best of Both Worlds

Rediscovering what’s old: Metadirectory

From the metadirectory, we learned the importance of building a global reference for each identity, through synchronization, correlation of global/local identifiers, and disambiguation. We also found tools that let us build a highly scalable solution.

The metadirectory also taught us what not to do: move every instance, every facet of an identity into a single directory. We cannot simply centralize identity to secure today’s distributed environments or enable tomorrow’s new services. For security’s sake, there are some categories of information that you cannot move around, such as primary credentials-especially passwords, the weakest link in the chain. Plus, when you try to centralize everything, putting all logic and all function in one place, you end up paralyzed by the complexity of the task.

Reinventing what’s new: Virtual directory as proxy

The “virtual directory as proxy,” which is Radiant-speak for what the market calls a “virtual directory,” solved this challenge of centralization by calling the underlying systems to check credentials. This lets security happen in the manner appropriate to each data source-by delegating the security checking, you’re “acting locally”-while providing an abstraction layer to shield applications from the complexity of the underlying silos.

But while we know the virtual directory delegates security quite elegantly, we also know that as a proxy alone, it cannot scale as the number of sources and volume of queries begin to rise. As a consequence, the “virtual directory as proxy” remains confined to niche tactical deployments for a limited number of identities. And that’s unfortunate because the “delegation pattern” is a key requirement in many of today’s high-volume, heterogeneous, mission-critical identity deployments.

Finally, both architectures taught us that the more complete your abstraction, the better. Basically, metadirectory was not “meta” enough and virtual directory as a proxy was not “virtual” enough. The more comprehensive the model of your system, the more flexibility you have-making your infrastructure more adaptable and protecting it from unavoidable change.

Building a better platform: Identity and context virtualization

The key to delivering identity as a service is the ability to abstract identities with their corresponding security contexts, so you can deliver the best services according to your applications’ needs. The way to achieve that is by linking identity and security context through virtualization. Here’s how we do that:

  • Virtualization simplifies the entire process, acting as an abstraction layer between applications and data sources.
  • Global/local reference and disambiguation delivers one version of the truth by correlating identity overlap and building a global map of your identity. (The “manage globally” side of the equation.)
  • Proxy/delegation passes the credentials and password verification to the original source. (The “act locally” part.)
  • Synchronization provides the scalability, performance, and high availability required when data needs to be moved.

It’s not about the storage, it’s about the service…

This changes how directories are viewed. Now it’s not only about storage, it’s also about delivering a set of services indispensable for the identity stack-and the directory is enabled to offer those services through the magic of virtualization. But this is more than a point solution that does a quick and dirty remapping of attributes and query routing; it’s a sophisticated virtualization that creates a complete model of your system.

Our approach to virtualization is all about flexibility and scalability. By building a single global data model out of all your existing systems, you have the flexibility to create unlimited new views of your existing data as your applications require. And synchronization between the logical layer and the physical layer is auto-generated, giving you a solution that scales, no matter how complex the integration, high the volumes, or heterogeneous the data sources composing the view.

The most critical element is no longer how identities are stored, but how they’re aggregated, synchronized, and disambiguated-in short, integrating identity first, then delivering it as a directory. This becomes a powerful new way to view directories: as a set of services you could package and deliver, using different protocols as needed-LDAP, of course, but also SQL, as well as newer protocols such as web services.

Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *








    seven − four =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Recent Blogs

Categories

Archives