By Clayton Donley, CTO, OctetString
The new class of enterprise applications is certainly a marvelous phenomenon to behold. Many of these applications have the potential to make substantial improvements in the way organizations operate. In fact, they offer capabilities that were inconceivable just a few years ago.
Therein lies the problem. Since no one conceived of performing these types of comprehensive operations back then, much of the identity data they need to accomplish their missions is not stored in a way that makes it easy to access. Instead of being in a single place, it's all over the enterprise in non-compatible directories. As a result, the enterprise applications themselves are like a Ferrari engine—sleek, responsive, and powerful—while the data structure that supports them has all the nimbleness of a Yugo. And as in any kinetic chain, the power of the whole is limited by the weakest link.
Changing the entire data infrastructure to a more homogenous one is certainly one option. Of course, the likelihood of getting that project approved is about the same as teaching a pig to fly. A better choice is to change the way data is accessed by the enterprise applications.
All together now
There are two options to changing data access. One is to have all the individual directories feed their identity data into a single meta directory. This method definitely narrows down the number of places an enterprise application must search for the data it needs, as well as reducing the number of interfaces required to access one.
The downsides of this method are:
- The data is only as current as the last synchronization, and
- The original data owners might not like letting the data out of their control and thus, may be inclined to fight the project tooth and nail.
The latter can be a legal battle when data is controlled under laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act for financial data, and Sarbanes-Oxley. Even worse, it can also be a battle of corporate politics or territories, which, as everyone knows, can be unpleasant and tough to win.
There is an alternative, however, that provides the single view of identity data without changing the infrastructure: virtual directory technology. Instead of storing all the data that might possibly be needed in one place, virtual directory technology is a light-weight service that accesses specifically requested data from its native repositories on demand in real time and presents it as though it were all stored together. This method assures enterprise applications are always working with the most current version of the data—which is especially important when security is an issue—while eliminating the legal and/or political battles that occur with attempting to change the way data is stored.
Additional white paper resources
- Supporting Large-scale Deployments Through Virtual Directory Technology
- White Papers - Virtual Directories
- Virtual Directory
Virtual directory technology in action
Here are some of the ways virtual directories are being used to improve data access at Fortune 500 organizations.
Portal to a portal
One of the most popular enterprise applications at the moment is the portal. By its very nature, a portal is designed to take information that's normally available in many other applications and allow users to access it with a single interface.
An employee portal is a common example of this technology. It's very convenient for employees to be able to access vacation records, healthcare information, salary data, departmental announcements, etc., in a single location. But here's where HIPAA and other laws come into play. If private data for one employee is seen by another without the proper permission, the organization is liable. That's why the Human Resources (HR) department is very reluctant to allow that information to be stored with non-private data outside of their control.
Virtual directories overcome these risks by providing tight controls over user identities, and by accessing the data from its native repositories. The user must be properly authenticated for the specific request to go through, and only data that the user is authorized to see, according to the data owner's rules, is released. Having these assurances helps earn the project approval faster, while the technology itself drives down both the cost and the time required for implementation.
Differences in directories
A common situation in large enterprises is the use of different directory products, such as Microsoft Active Directory, Novell eDirectory, SunONE, IBM Tivoli Directory Server, and OpenLDAP, in different divisions or even departments. This situation presents a problem to enterprise applications, which are usually written to interface with only one of these products.
However, because they are all based on the Lightweight Directory Access Protocol (LDAP), a virtual directory can act as an LDAP proxy, taking a request written for one directory infrastructure and translating it into a form that is recognized by another.
This method also comes in handy when an enterprise application needs to access data stored in other, individual applications. Normally in this situation, either the individual applications would need to be migrated to enterprise app status, or the organization would have to incur great expense and devote a lot of effort to creating workarounds.
By installing a virtual directory, the organization avoids all that extra work. The LDAP request is simply mapped from one directory infrastructure to the other by the virtual directory. The more directory products you have in place, the more valuable this LDAP proxy service becomes.
The LDAP mapping described on a relatively small scale in the previous section can also be applied to the much larger task of directory migration.
Suppose your organization has jumped aboard the open-source bandwagon and decided to move from Active Directory to OpenLDAP. This normally would be a huge undertaking that requires rewriting the directory portion of every application the organization uses—including any enterprise-wide applications—with planning requirements that rival landing on the beach at Normandy.
Virtual directories simplify migration by taking the time element out of it. Rather than taking an all-or-nothing approach, virtual directories allow the organization to migrate everything piecemeal. The truth is actual migration isn't required at all, as the two systems can be used side-by-side. But if the organization wants to keep everything clean by making a changeover, virtual directories enable it to proceed in an easier, more orderly fashion.
The ins and outs
Another challenge for enterprise applications in multidivision organizations comes from mergers and acquisitions. If the two merged entities are allowed to continue acting somewhat autonomously in terms of their IT infrastructures, the organization may be faced with a situation where part of the data is managed in-house by one division, and another part is managed by an outsourcer.
The LDAP proxy capabilities of virtual directories help here as well. Rather than requiring a single store or infrastructure, virtual directories can draw from multiple directory environments through both network and Internet connections. This flexibility is a tremendous advantage in presenting a single view of data from widely dispersed sources.
Howdy (trading) partner
One final scenario comes with extranets or other eBusiness applications designed to make it easier to work with trading partners. Here you often have data security and authorization concerns combined with a multiple-directory environment.
Suppose you work for a manufacturing company that uses channel partners to sell and purchase raw materials online. The organization wants a single eBusiness application to manage both sides of the business, and wants to be able to draw reports and build a dashboard of key performance indicators for each segment.
On the channel partner side, in order to get the information you need you have to gain access to the partners' systems—a trust issue if there ever was one. Naturally, their biggest concern will be that their data doesn't somehow end up in the hands of their competitors. It's also very unlikely that all of those partners are using the same directory infrastructure as you.
On the supplier side, you are again faced with a multiple-directory environment. Since they're unlikely to change their infrastructure to accommodate you, it's up to you to figure out how to access the data in a way that can be summed, sliced, and diced effectively.
Virtual directories solve all of these problems through the methods discussed previously. They don't store anything permanently so there's little risk of data bleeding, and nothing for an outsider to hack into. And no matter how many different directory products are being used, they can interface with all of them to present the unified view of data required for reports.
Get ready to zoom
An inefficient directory infrastructure can bog down a well-designed enterprise application very quickly. Virtual directory technology can help you overcome the limitations of your current infrastructure, so your apps can perform the way they're designed and intended. Open them up and let the engines roar.
Clayton Donley is Founder and Chief Technical Officer of OctetString, whose Virtual Directory Engine (VDE) Suite and other products allow organizations to manage user identification quickly and seamlessly. He is an internationally recognized authority on identity management, and has served as a consultant on numerous high visibility projects and as an author on the topic. He can be reached at firstname.lastname@example.org.