|
- » Develop a strategic plan for identity.
- » Consolidate multiple, fragmented identity resources together.
- » Deploy security and provisioning software using the unified identity infrastructure
A global manufacturing company specializing in heavy equipment recognized that it was easier to manage its IT geographically, and designed its infrastructure accordingly. Administrative work stays close to the users and the locally protected resources. As a result, this system provided an efficient administrative model, but there was no directory service that represented the company as a whole. Rather, each region had its own tree structure, without a common tie between other regional directory trees.
With a growing number of web-based applications accessed at the enterprise level, this company recognized the need to address identity from an enterprise tier and not just as a local user level. It was necessary to combine the existing identity information together, but there were several challenges that were immediately apparent:
The three primary integration issues:
- Since much of the identity information existed in the regional security domains, the first issue was determining how to use multiple existing directories together as if they were a single directory. However, it was critical that such efforts not interrupt applications which were already running under the current directory architecture.
- Additionally, some of the secured applications needed to be available to partners and suppliers. This identity information was available in a database, not in a directory server. So the requirements for the identity infrastructure must include a method using database information into the directory service.
- A third major integration challenge arose - the passwords from the database were in a proprietary format. The database vendor provided a library operation that could determine whether a given password passes/fails, but the directory server's bind operation needed to be customized to call the library function.
The RadiantOne approach to solving these challenges starts by breaking down the problem into smaller, manageable, phases with clear identifiable goals:
- Identify the requirements and goals. Inventory and analyze the current data environment.
- Construct an identity infrastructure.
- Tackle the security projects first (Network Security and Web Access Controls).
- Address provisioning after the infrastructure is in place.
Phase 1 to any identity project starts by taking a close look at what kind of identity information exists, how it is accessed and formatted, and how useful it is for the identity infrastructure. There was an extensive directory services backbone in place, but it was organized in separate, regionally-defined security domains, and it was already in production to support a number of vital corporate applications. It was immediately clear that the identity projects needed to be inserted without disrupting any of the existing applications.
In addition, some regions wanted to consider using different directory services platforms in the future, such as upgrading to Active Directory. It became clear that the identity infrastructure had to avoid tightly coupled integration, so that future directory migration plans would still be manageable.
For phase 2 of the project, the RadiantOne Identity and Context Virtualization Platform was used to implement a single "virtual" view of multiple directories and databases. The virtual view could be managed, manipulated and redesigned, leveraging existing data without affecting how existing applications use that same data.
Using a configuration to delegate authentication, RadiantOne Identity and Context Virtualization Platform could easily handle routing authentication requests back to a directory service. The identities which came from the database, however, posed a tougher integration challenge. As noted before, the database’s password fields used a proprietary algorithm, so there was no way to reuse these fields natively. However, a library operation was available to test whether a password passes/fails. By using RadiantOne's interception script functionality, the internal mechanics of the authentication operation could be extended to leverage the library, which made it possible to authenticate database users with their original passwords.
The decision to use Virtual Directory Server paid off early in phase 3. In order to have more control over security for several sensitive business applications. In order to integrate the identity infrastructure with each application, the directory service needed to support very specific schema requirements. Without VDS, the directory would have had to be physically reconfigured for extended schemas, reorganized in different branches for specific application needs and requiring complex synchronization logic. Using VDS, however, a new "view" of the directory could be created to meet each security package's schema requirements, and the identity information simply appeared in the virtual directory in the proper format.
With the success of the first three phases of this company's identity initiatives, they were able to continue executing its identity strategy and currently is underway to tackle phase 4 goal and beyond.
Radiant Logic provides its customers with solutions to put together an identity infrastructure integrated with existing directory services, that was flexible to adapt to new requirements.
By using VDS, it was simple to to execute its identity strategy based on this infrastructure, keeping projects on track and on budget, as well as position the company to meet future requirements as well.
Back to Top ^ |
