By Clayton Donley,
CTO, OctetString

The new class of enterprise applications is certainly a
marvelous phenomenon to behold. Many of these applications have the potential
to make substantial improvements in the way organizations operate. In fact,
they offer capabilities that were inconceivable just a few years ago.

Therein lies the problem. Since no one conceived of
performing these types of comprehensive operations back then, much of the
identity data they need to accomplish their missions is not stored in a way
that makes it easy to access. Instead of being in a single place, it’s all over
the enterprise in non-compatible directories. As a result, the enterprise
applications themselves are like a Ferrari engine—sleek, responsive, and
powerful—while the data structure that supports them has all the nimbleness of
a Yugo. And as in any kinetic chain, the power of the whole is limited by the
weakest link.

Changing the entire data infrastructure to a more homogenous
one is certainly one option. Of course, the likelihood of getting that project
approved is about the same as teaching a pig to fly. A better choice is to
change the way data is accessed by the enterprise applications.

All together now

There are two options to changing data access. One is to
have all the individual directories feed their identity data into a single meta
directory. This method definitely narrows down the number of places an
enterprise application must search for the data it needs, as well as reducing
the number of interfaces required to access one.

The downsides of this method are:

  • The
    data is only as current as the last synchronization, and
  • The
    original data owners might not like letting the data out of their control
    and thus, may be inclined to fight the project tooth and nail.

The latter can be a legal battle when data is controlled
under laws such as the Health Insurance Portability and Accountability Act (HIPAA),
the Gramm-Leach-Bliley
for financial data, and Sarbanes-Oxley.
Even worse, it can also be a battle of corporate politics or territories,
which, as everyone knows, can be unpleasant and tough to win.

There is an alternative, however, that provides the single
view of identity data without changing the infrastructure: virtual directory
technology. Instead of storing all the data that might possibly be needed in
one place, virtual directory technology is a light-weight service that accesses
specifically requested data from its native repositories on demand in real time
and presents it as though it were all stored together. This method assures enterprise
applications are always working with the most current version of the data—which
is especially important when security is an issue—while eliminating the legal
and/or political battles that occur with attempting to change the way data is

Additional white paper resources

Virtual directory technology in action

Here are some of the ways virtual directories are being used
to improve data access at Fortune 500 organizations.

Portal to a portal

One of the most popular enterprise applications at the
moment is the portal. By its very nature, a portal is designed to take
information that’s normally available in many other applications and allow
users to access it with a single interface.

An employee portal is a common example of this technology.
It’s very convenient for employees to be able to access vacation records,
healthcare information, salary data, departmental announcements, etc., in a
single location. But here’s where HIPAA and other laws come into play. If
private data for one employee is seen by another without the proper permission,
the organization is liable. That’s why the Human Resources (HR) department is
very reluctant to allow that information to be stored with non-private data
outside of their control.

Virtual directories overcome these risks by providing tight
controls over user identities, and by accessing the data from its native
repositories. The user must be properly authenticated for the specific request
to go through, and only data that the user is authorized to see, according to
the data owner’s rules, is released. Having these assurances helps earn the
project approval faster, while the technology itself drives down both the cost
and the time required for implementation.

Differences in directories

A common situation in large enterprises is the use of
different directory products, such as Microsoft
Active Directory
, Novell eDirectory, SunONE, IBM Tivoli Directory Server,
and OpenLDAP, in different divisions or even departments. This situation
presents a problem to enterprise applications, which are usually written to
interface with only one of these products.

However, because they are all based on the Lightweight
Directory Access Protocol (LDAP), a virtual directory can act as an LDAP
proxy, taking a request written for one directory infrastructure and
translating it into a form that is recognized by another.

This method also comes in handy when an enterprise
application needs to access data stored in other, individual applications.
Normally in this situation, either the individual applications would need to be
migrated to enterprise app status, or the organization would have to incur
great expense and devote a lot of effort to creating workarounds.

By installing a virtual directory, the organization avoids
all that extra work. The LDAP request is simply mapped from one directory
infrastructure to the other by the virtual directory. The more directory
products you have in place, the more valuable this LDAP proxy service becomes.

Migratory patterns

The LDAP mapping described on a relatively small scale in
the previous section can also be applied to the much larger task of directory

Suppose your organization has jumped aboard the open-source
bandwagon and decided to move from Active Directory to OpenLDAP. This normally
would be a huge undertaking that requires rewriting the directory portion of
every application the organization uses—including any enterprise-wide
applications—with planning requirements that rival landing on the beach at

Virtual directories simplify migration by taking the time
element out of it. Rather than taking an all-or-nothing approach, virtual
directories allow the organization to migrate everything piecemeal. The truth
is actual migration isn’t required at all, as the two systems can be used
side-by-side. But if the organization wants to keep everything clean by making
a changeover, virtual directories enable it to proceed in an easier, more
orderly fashion.

The ins and outs

Another challenge for enterprise applications in multidivision
organizations comes from mergers and acquisitions. If the two merged entities
are allowed to continue acting somewhat autonomously in terms of their IT
infrastructures, the organization may be faced with a situation where part of
the data is managed in-house by one division, and another part is managed by an

The LDAP proxy capabilities of virtual directories help here
as well. Rather than requiring a single store or infrastructure, virtual
directories can draw from multiple directory environments through both network
and Internet connections. This flexibility is a tremendous advantage in
presenting a single view of data from widely dispersed sources.

Howdy (trading) partner

One final scenario comes with extranets or other eBusiness
applications designed to make it easier to work with trading partners. Here you
often have data security and authorization concerns combined with a
multiple-directory environment.

Suppose you work for a manufacturing company that uses
channel partners to sell and purchase raw materials online. The organization
wants a single eBusiness application to manage both sides of the business, and
wants to be able to draw reports and build a dashboard of key performance
indicators for each segment.

On the channel partner side, in order to get the information
you need you have to gain access to the partners’ systems—a trust issue if
there ever was one. Naturally, their biggest concern will be that their data doesn’t
somehow end up in the hands of their competitors. It’s also very unlikely that
all of those partners are using the same directory infrastructure as you.

On the supplier side, you are again faced with a multiple-directory
environment. Since they’re unlikely to change their infrastructure to
accommodate you, it’s up to you to figure out how to access the data in a way
that can be summed, sliced, and diced effectively.

Virtual directories solve all of these problems through the
methods discussed previously. They don’t store anything permanently so there’s
little risk of data bleeding, and nothing for an outsider to hack into. And no
matter how many different directory products are being used, they can interface
with all of them to present the unified view of data required for reports.

Get ready to zoom

An inefficient directory infrastructure can bog down a
well-designed enterprise application very quickly. Virtual directory technology
can help you overcome the limitations of your current infrastructure, so your
apps can perform the way they’re designed and intended. Open them up and let
the engines roar.

Clayton Donley is Founder and Chief Technical
Officer of OctetString,
whose Virtual Directory Engine (VDE) Suite and other products allow
organizations to manage user identification quickly and seamlessly. He is an
internationally recognized authority on identity management, and has served as
a consultant on numerous high visibility projects and as an author on the
topic. He can be reached at