Www.novell.com Directory Services Market Trends Gary Hein Senior Analyst Burton Group...
-
Upload
ashley-cummings -
Category
Documents
-
view
225 -
download
0
Transcript of Www.novell.com Directory Services Market Trends Gary Hein Senior Analyst Burton Group...
www.novell.com
Directory Services Market TrendsDirectory Services Market Trends
Gary HeinSenior AnalystBurton [email protected]
Agenda
• Brief introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Who Is Burton Group?
• Burton Group provides integrated consulting, advisory, and research services to support technologists who are responsible for decisions and plans related to network technologies, services, products, and vendors
• You know us as… Jamie Lewis, CEO and Research Chair Dan Blum, SVP and Research Director Analysts Gary Hein and Mike Neuenschwanderwww.burtongroup.
com
Directory Market Roadmap
Directory vendor
provides services
Directory vendor
provides services
Others provide services
Others provide services
LDAP matures creates level playing field
Developers and vendors adopt LDAP
LDAP servers become
commodities
Price and margins decrease
Innovation around LDAP
decreases
Innovation moves
beyond LDAP standards
Decision point:
Rely on directory vendor or
others to provide next
layer of services?
Rely on directory vendor for extended
services (policy, access control,
config.)—potential for reuse of policy, ACL,
etc.
Rely on directory vendor for extended
services (policy, access control,
config.)—potential for reuse of policy, ACL,
etc.
Directory relegated to data repository, so greater choice
in products
Directory relegated to data repository, so greater choice
in products
Directory Market Roadmap
Directory
integration
Directory
integration
New standards emerge, may be
retrofitted on directory servers
(DSML, SAML)
New standards emerge, may be
retrofitted on directory servers
(DSML, SAML)
Directory vendor
provides services
Highly integrated, directory product specific
solutions
Others provide services
To be directory-agnostic,
services must become more
intelligent (policy, access
controls, configuration)
LDAP: A Blessing and a Curse
• LDAP v3 has provided a ubiquitous access method
• But most LDAP-enabled applications don’t fully leverage the directory
Common: identity and authentication verification Uncommon: policy, access controls, configuration Market opinion is that LDAP is “good enough”
and future innovation is unnecessary
• This may relegate directories to nothing more than an identity store
Has Innovation Ceased?
• Innovation will continue at a different layer, not driven by the directory vendors
LDAP—progress has slowed (if not stopped) DSML—Directory Services Markup Language
• XML wrapper of LDAP functions• Incremental improvement over LDAP• Most implementations for exchange of objects, not live
query• No single vendor is driving (like Netscape with LDAP)
SPML—Service Provisioning Markup Language SAML—Security Assertion Markup Language XACML—Extensible Access Control Markup Language
Basic Directory Services
LDAP Other APIs/Protocols
Directory and Infrastructure Vendors Compete for the Customer
Advanced/ Proprietary
Dir
ecto
ry V
end
orsIn
frastructu
re V
end
ors
App
App
App
App
…Privilege Management, Policy, Configuration…
“Next-Layer”
Services
Integrated vs. Best-of-Breed
Battle for Relevancy
• Higher-level vendors push down on directory Directory-independent, identity repository only Provide higher-level services, like ACLs and policy Examples
• Netegrity—entering portal and provisioning market• IBM/Tivoli—suite of identity-related products
• Directory vendors resisting with integrated suites Novell: iChain®, NPS, DirXML™, ZENworks® Synergy iPlanet: similar product offerings Microsoft: bundled in the Windows .NET Server OS
Directory Decision Point
• Who will you depend on for enhanced services?
Best-of-breed? Directory vendor(s)? Directory middleware?
• Radiant Logic, Calendra, OctetString, Maxware, others
• General metrics Application requirements and integration points Centralized or distributed Directory skill investment Vendor, product, or platform commitment
Agenda
• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Meta-directory Market Overview
• Identity crisis: defining “meta-directory” Identity data throughout the enterprise as objects and
attributes Link or “join” similar objects and synchronize
attributes and relationships for the objects Ensure authoritative data sources are the only writers Trigger business processes based on data events
• Similar to other technologies Virtual directory and data access middleware Middleware, enterprise application integration Resource provisioning
Typical Architecture
Meta-directory Market Overview
• Several vendors are clearly meta-directory Critical Path, iPlanet, MaXware, Metamerge,
Microsoft, Novell, Siemens
• But other sources exist Provisioning vendors overlap to varying degrees Professional services solutions and custom software
• Software market was worth about $100 M in 2001
Professional services added another $200 M Demand is slowly rising and unlikely to diminish
Meta-directory Market Assessment
• No single technology provides the full solution Meta-directory—linking and synchronization Virtual directory—views, brokering, access control Provisioning—process management and workflow Directories—identity and access policies Password synchronization—fewer passwords
• Products must evolve and will converge Many meta-directories are too LDAP-centric Better “business quality” data handling Security, backup, restore, and other risk reduction Workflow and business policy engines
Meta-directory Futures
• Near-term: technology improvements Better deployment and administration tools Improved usability More workflow capabilities and provisioning features Synchronization of roles, access controls, groups Increase in the minimum set of connectors included
in the product
• Unresolved issues Common data format for connectors? (DSML/XML?) Common password format or provider? How will the technologies converge?
Meta-directory Product Considerations and Criteria
• Join engine Powerful matching rules that are easy to customize Reusable rules (internal and external to the meta-directory) Workflow and business process handling Bi-directional, event-based synchronization (where possible)
• Connectors Mostly application-specific connectivity with generic
accesses “Live” connectors are usually better than file exchanges
• Overall Ease of use, manageability, deployment tools Scalability and performance Fit with corporate standards, principles, and expertise Software price is not a good selection criteria
Agenda
• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Public Identity Services
• Just when you thought you had your internal directory/identity infrastructure resolved…
Business Context
• The issue: using networks to conduct business It’s about inserting your company into customer processes
“just in time” to create and add real value Increases operating efficiencies, solidifies customer
relationships, opens new markets It’s about delivering personalized services to your customers The network is “opening,” creating a dichotomy:
more flexible access, the need for stronger security Inevitable intersection of public, private identity structures Identity and access management, extending to relationship
management, remains a strategic issue Effective infrastructure for managing identities, access
privileges, and relationship information cheaper is crucial
Identity and Access Management
The challenge: interoperability and portability
InternalSystems& Data
Less-known
Partner or xSP
Loosely-coupled,Dynamic exterior
Customers
Tightly-coupled,Persistent interior
Employees
Unknown
Extranets
The Internet
Identity and Access Management (cont.)
InternalSystems& Data
Less-known
Partner or xSP
Federation Externally
Customers
Integration Internally
Employees
Unknown
Extranets
The Internet
The answer
Interoperability and Federation
• Internal enterprise issues have not abated• Too many directories, fragmented identity infrastructure• Error prone, expensive to mange• How can enterprises integrate and leverage what they
have?
• External B2B issues continue to build• Do we have to synchronize every directory on the
planet?• Or can we make identity and entitlements portable? • How will you authenticate users?• Do hierarchical trust models work?• What standards will emerge? And what about privacy?
What Is Federation
• Just what is federation? Webster’s says it’s a noun related to the adjective
“federal,” which it defines as:• Formed by a compact between political units that surrender
their individual sovereignty to a central authority but retain limited residuary powers of government
• Of or constituting a form of government in which power is distributed between a central authority and a number of constituent territorial units
According to Roget’s II, a federation is:• An association, especially of nations for a common cause• A group of people united in a relationship and having
some interest, activity, or purpose in common
Interoperability and Federation
• What do you mean when you say federation? Passport sounds more like the first definition
• A strong central authority with cooperating entities Liberty sounds more like the second definition
• Loose association; contrasting “federated” and “centralized” Neither have said how they’ll really do this
• We eagerly wait meaningful detail• What role will P2P and open source play?• P2P appeals to libertarian sensibilities, but will scale?
And who do I sue when a fully decentralized system fails?• Open source appeals to those who want a level playing
field, but who leads that effort?
Public Identity Services
• There will not be just one• Will force enterprises to address intersection
of enterprise identity/role and public identity If your employees have a Passport or Liberty ID,
can they use it internally? If they need a Passport or Liberty ID to access
external services to do their jobs, how will you manage those IDs?
If a partner’s employees have Passport or Liberty IDs, will you accept them? How will both you and the partner manage those IDs?
Interoperability and Federation
• Some form of federation and interoperability are requirements
Microsoft has proposed Kerberos; SAML is MIA Liberty has released precious few details, but claims
it won’t re-invent the wheel (does that mean SAML?) AOL has quietly rolled out Magic Carpet, but no
word on how federation will work or its intentions to use Liberty
In short, we are only at the beginning of the discussion, but the market will force interoperability
But don’t be surprised when it gets ugly
Integrated Directory Services Enable Federation
Extranet/Internet
IntranetActive
Dir.EnterpriseDirectory
E-bizDirectory
PKI
HR
CustomAppl.
Web
ActiveDir.
Meta-Directory
Public Identity Services (Liberty, Passport,
UDDI, Others)
FederatedDirectoryServices(internal)
FederatedI&AM
Services(SAML)
I&AM Services