In-Depth

Identity Management: Untangling Meta and Virtual Directories

We discuss how organizations use virtual directories to interface enterprise applications and identity data with Clayton Donley, CEO of OctetString, a virtual directory provider.

• By Mathew Schwartz
• 08/06/2003

Vendors are beginning to offer more rapid identity management rollouts, so organizations don’t have to make identity an all-or-nothing enterprise rollout. One stumbling block for customers, however, is simply liberating existing data from information silos and centralizing it, in order for access control, portals, and other enterprise applications to access it.

One way to speed up that process is to use virtual directories to interface enterprise applications and identity data. To untangle how organizations do that, and the differences between virtual directories and the meta directories—synchronized repositories that many Fortune 500 companies, at least, already have in place—Security Strategies spoke with Clayton Donley, CEO of OctetString (http://www.octetstring.com/) in Schaumburg, Ill. The company is a virtual directory provider whose customers include Emory University, Boeing, and Coca-Cola. Donley is also author of “LDAP: Programming, Management and Integration."

What’s the purpose of identity directories?

The key thought is that identities are everywhere—Active Directory, another type of directory such as LDAP, or a customer relationship management database. All of the information is out there, some about the same people, some about different people. As you get to deploying enterprise applications (portals, ERP) and access control, those applications need information about everyone. They can't just take information about internal employees, or just external partners, or you're not going to get the full ROI. Why identity management is so important today is the end goal: to get identities in reach of those applications.

What are key identity management challenges?

A lot of the challenges have been political in nature. Technology such as ours, however, can get you up and running around those barriers in a couple of days.

How does a virtual-directory approach circumvent political barriers?

The biggest political challenges you have are related to data ownership, because I have one group that manages external users—say CRM or ERP applications—and another group of internal users managed by the LAN group, and those groups often don't mix. But the application needs both [sets of data]. I can boil the ocean and come up with the one grand schema that everyone likes, or I can face reality and say that these applications are all being developed by different people, and they're not going to standardize on one interface. So what I can do is create a virtual directory.

What’s an example of how your software has surmounted a political barrier?

[One Fortune 500 customer] has two separate divisions, and each had their own administrative groups, each using Active Directory. In fact, one of the groups outsourced all of their IT management, so even if they wanted to synchronize [the data], this company had a political issue, and couldn’t just synchronize—they'd have to terminate the business relationship. That's a major decision. But they were deploying SAP Portal, and to use SAP Portal they needed one identity directory. So they downloaded our software and had it in production in 30 days. To get that deployed and not have to wait nine months for a meta-directory implementation is huge. What you did was simply give your applications a way to see these two directories as one.

Why can meta-directories take longer implement?

The implementation isn’t so much a technical issue. It comes down to the data management issues—meeting to agree on standard data formats, for example.

So the main virtual-directory concept is to not duplicate information for every application?

You don't want to duplicate this information for all applications. The key thing isn't so much the duplication, but the administration around each piece of this infrastructure. So if you can eliminate the cost of doing that for each piece of software you have, that's the ROI right there.

And by not re-centralizing information into new silos, virtual directories leave data ownership in place?

Exactly. The portal people don't want to be managers of identity. We have another customer, one of the largest software/hardware manufacturers in the world, using [our software] to give identities to their VPN and firewall systems, and, well, the network people aren’t identity experts, they don't want to manage identities. What they want to do is tap the identities that are already out there.

What’s involved in setting up either kind of directory?

A virtual directory is a pretty quick implementation. As far as a meta goes, it’s not terribly difficult in terms of installing. It always comes down to the challenges of how do I get people to agree on this, [then] around all the consultants you need to bring in, [and] the time [that takes].

Do meta-directories stay updated through batch updates?

Meta-directories are advanced synchronization tools. Virtual directories are about giving you real-time access to your existing infrastructure, really about presenting what you have to applications in the way you need.

When are meta-directories especially called for?

Data stored in data repositories that have really poor access time in real time. If you have a really old AS/400 and you don't plan to upgrade it, you might still want to synchronize that information into other repositories that you're already actively managing.

Does legacy data need to be put into a meta-directory so a virtual directory can tap it?

We have people who have done both. Even on the internal integration side, people have used virtual for everything. And we see people who have deployed meta-directories, and many of them have realized that they can use virtual [too] to give those meta-directory-created repositories [an interface to] new applications. It’s not an either/or approach.

How do the two approaches compare from a cost standpoint?

Really, you're never going to justify a meta-directory approach based on a single application. It's not the cost of the meta-directory software itself, but as with other provisioning, you really have a lot of research that has to go into the project before you get started. Whereas with virtual directories, they can justify the initial virtual-directory approach because they have one application that needs it.

So you handle presenting data in the correct format to applications that need it?

OctetString’s product, Virtual Directory Engine, has technology that allows you to configure, rather than develop. You can configure mapping so that an attribute value gets changed to what the application likes, or in other cases you can figure that you have one directory with a group of users, and another with another group of users. It's all about configuration. Whereas with a meta-directory, some of that will be configuration, but other [requirements] will be developing scripts to deal with that.

Related story:

Bite-size Identity Management: Rapid Deployment Key to Successhttp://info.101com.com/default.asp?id=836