What’s in a Name? Everything…
Some years ago, we put together a fun little map that shows some of the dangers our customers face in the treacherous waters of Identity Management. But now, after meeting with our customer advisory board during the recent Gartner IAM event in Las Vegas, we’ve had to expand the map to include the cloudy skies of “Azuria” and “Amazonia.”
Many of our largest customers—including Fortune 100 companies—are looking to shutter their data centers and move all operations, including identity, to the cloud. Luckily, Radiant will be right by their side, helping our customers streamline operations and secure their application portfolios. One of the main reasons we can be so helpful is that we’ve evolved the virtual directory technology we pioneered way back in 2000, moving from a proxy-driven tool for aggregating across disparate data stores—which was a huge innovation at the time and still useful in many situations—to a federated identity service based on advanced virtualization, or what we call “FID.”
(Virtualize, Transform, Store) + Sync = FID
This federated identity service gives you complete identity integration from end to end. And it’s more than just an acronym change. Moving from VDS to FID signifies the evolution of identity integration from a lightweight tactical solution to a strategic identity service. The challenges of identity management have only gotten more complex over the years, with the rise of digitization, mobile services, and the cloud. Given the new constraints and challenges facing today’s identity management, we’ve evolved and modified this architecture over the years—in a dramatic way.
The result is an advanced identity service combining real-time synchronization, identity correlation, and directory storage, and leveraging our patented identity virtualization technology. The main challenge of modern identity systems is to address two conflicting trends:
- The multiplicity, heterogeneity (AD, LDAP, SQL, APIs), and distribution of authoritative identity sources.
- The need to present a common global view of identity to applications, no matter where they are—on premises, on the web, or in the cloud.
As an entirely new “identity service” architecture, RadiantOne combines identity information from local sources, then normalizes and generalizes it into a global service. This is what enables companies to authenticate and authorize users across a diverse array of applications, no matter where they’re hosted—and it’s what will enable our customers to take the next major step, shipping their identity into the cloud.
Expanded Capabilities for Increased Complexity: Beyond Meta & Virtual Directories
But why evolve? Because our customers aren’t just securing employee apps behind the firewall anymore—in fact, they’re securing diverse apps hosted in diverse places and accessed by diverse users stored in diverse formats. And because each app requires its own specific view of identity, you either need custom-coded translation logic to make all these pieces work together—think of this as a very expensive vase that’s easily shattered—or you can route requests to the authoritative source where it’s needed, and transform the results on the fly. That was the innovation of the virtual directory: instead of storing the underlying data in a new directory and keeping all the systems synchronized, data is retrieved dynamically from underlying systems.
But such a system still has some serious limitations. It’s not cloud and IoT scalable, it lacks metadata, and it can’t handle these essential tasks of identity integration, listed in order of complexity:
- Aggregation brings together different views, different definitions of identity and attributes, by mounting them under different branches at the virtual layer.
- Correlation uses complex rules as needed to detect and disambiguate any duplicate user accounts across different sources, creating a “union set” of identities, a global “reference” list where each user in your system is represented once and only once.
- Integration joins attributes across overlapping user accounts, creating a single, scalable store containing a unique list of complete user profiles.
The result of these functions is a coherent image of your identity data that acts as your ultimate source for authentication and authorization behind any modern identity provider layer (whether that’s SAML 2.0, OpenID Connect, or Oauth). Such a reference image is also the identity foundation for provisioning Azure AD or any AD instances or LDAP directories on Amazon Web Services. (If your target is LDAP, we recommend HDAP, our extremely scalable LDAP v3-compatible directory based on Big Data clusters, because scalability is essential in our cloud-driven era).
Catching the Wave of Disruption: Federating Your AD to Migrate to the Cloud
So how are large enterprises like our customers planning to launch their armadas and migrate their operations into the cloud? They begin with identity, because security is still a prime imperative, whether you’re authenticating and authorizing users for apps behind the firewall, on the web, or in the cloud. Many will start by linking identity into the cloud, which our federated identity service is uniquely capable of helping you with—and we’ll look at exactly how RadiantOne does that in a series of posts over the next few weeks.
Although RadiantOne has helped many companies do more with their customer identities in SQL, we know that this new push to migrate to the cloud must begin first with employee identities—and that means federating your Active Directory in the cloud. With RadiantOne, you can organize multiple domains and forests, along with all your other identity stores—including LDAP, SQL, and APIs—into a federated flotilla that provisions and syncs your internal identity infrastructure on one of the major cloud directories: Azure AD or AWS. RadiantOne makes it possible to provision either one and I’ll show you how in our next few posts—so be sure to check back!
Happy 2017 from Radiant—may it be a year of peace, growth, and excellent returns on ALL your investments…