www.novell.com

Directory Services Market TrendsDirectory Services Market Trends

Gary HeinSenior AnalystBurton Groupghein@burtongroup.com

Agenda

• Brief introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions

Who Is Burton Group?

• Burton Group provides integrated consulting, advisory, and research services to support technologists who are responsible for decisions and plans related to network technologies, services, products, and vendors

• You know us as… Jamie Lewis, CEO and Research Chair Dan Blum, SVP and Research Director Analysts Gary Hein and Mike Neuenschwanderwww.burtongroup.

com

Directory Market Roadmap

Directory vendor

provides services

Directory vendor

provides services

Others provide services

Others provide services

LDAP matures creates level playing field

Developers and vendors adopt LDAP

LDAP servers become

commodities

Price and margins decrease

Innovation around LDAP

decreases

Innovation moves

beyond LDAP standards

Decision point:

Rely on directory vendor or

others to provide next

layer of services?

Rely on directory vendor for extended

services (policy, access control,

config.)—potential for reuse of policy, ACL,

etc.

Rely on directory vendor for extended

services (policy, access control,

config.)—potential for reuse of policy, ACL,

etc.

Directory relegated to data repository, so greater choice

in products

Directory relegated to data repository, so greater choice

in products

Directory Market Roadmap

Directory

integration

Directory

integration

New standards emerge, may be

retrofitted on directory servers

(DSML, SAML)

New standards emerge, may be

retrofitted on directory servers

(DSML, SAML)

Directory vendor

provides services

Highly integrated, directory product specific

solutions

Others provide services

To be directory-agnostic,

services must become more

intelligent (policy, access

controls, configuration)

LDAP: A Blessing and a Curse

• LDAP v3 has provided a ubiquitous access method

• But most LDAP-enabled applications don’t fully leverage the directory

Common: identity and authentication verification Uncommon: policy, access controls, configuration Market opinion is that LDAP is “good enough”

and future innovation is unnecessary

• This may relegate directories to nothing more than an identity store

Has Innovation Ceased?

• Innovation will continue at a different layer, not driven by the directory vendors

LDAP—progress has slowed (if not stopped) DSML—Directory Services Markup Language

• XML wrapper of LDAP functions• Incremental improvement over LDAP• Most implementations for exchange of objects, not live

query• No single vendor is driving (like Netscape with LDAP)

SPML—Service Provisioning Markup Language SAML—Security Assertion Markup Language XACML—Extensible Access Control Markup Language

Basic Directory Services

LDAP Other APIs/Protocols

Directory and Infrastructure Vendors Compete for the Customer

Advanced/ Proprietary

Dir

ecto

ry V

end

orsIn

frastructu

re V

end

ors

App

App

App

App

…Privilege Management, Policy, Configuration…

“Next-Layer”

Services

Integrated vs. Best-of-Breed

Battle for Relevancy

• Higher-level vendors push down on directory Directory-independent, identity repository only Provide higher-level services, like ACLs and policy Examples

• Netegrity—entering portal and provisioning market• IBM/Tivoli—suite of identity-related products

• Directory vendors resisting with integrated suites Novell: iChain®, NPS, DirXML™, ZENworks® Synergy iPlanet: similar product offerings Microsoft: bundled in the Windows .NET Server OS

Directory Decision Point

• Who will you depend on for enhanced services?

Best-of-breed? Directory vendor(s)? Directory middleware?

• Radiant Logic, Calendra, OctetString, Maxware, others

• General metrics Application requirements and integration points Centralized or distributed Directory skill investment Vendor, product, or platform commitment

Agenda

• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions

Meta-directory Market Overview

• Identity crisis: defining “meta-directory” Identity data throughout the enterprise as objects and

attributes Link or “join” similar objects and synchronize

attributes and relationships for the objects Ensure authoritative data sources are the only writers Trigger business processes based on data events

• Similar to other technologies Virtual directory and data access middleware Middleware, enterprise application integration Resource provisioning

Typical Architecture

Meta-directory Market Overview

• Several vendors are clearly meta-directory Critical Path, iPlanet, MaXware, Metamerge,

Microsoft, Novell, Siemens

• But other sources exist Provisioning vendors overlap to varying degrees Professional services solutions and custom software

• Software market was worth about $100 M in 2001

Professional services added another $200 M Demand is slowly rising and unlikely to diminish

Meta-directory Market Assessment

• No single technology provides the full solution Meta-directory—linking and synchronization Virtual directory—views, brokering, access control Provisioning—process management and workflow Directories—identity and access policies Password synchronization—fewer passwords

• Products must evolve and will converge Many meta-directories are too LDAP-centric Better “business quality” data handling Security, backup, restore, and other risk reduction Workflow and business policy engines

Meta-directory Futures

• Near-term: technology improvements Better deployment and administration tools Improved usability More workflow capabilities and provisioning features Synchronization of roles, access controls, groups Increase in the minimum set of connectors included

in the product

• Unresolved issues Common data format for connectors? (DSML/XML?) Common password format or provider? How will the technologies converge?

Meta-directory Product Considerations and Criteria

• Join engine Powerful matching rules that are easy to customize Reusable rules (internal and external to the meta-directory) Workflow and business process handling Bi-directional, event-based synchronization (where possible)

• Connectors Mostly application-specific connectivity with generic

accesses “Live” connectors are usually better than file exchanges

• Overall Ease of use, manageability, deployment tools Scalability and performance Fit with corporate standards, principles, and expertise Software price is not a good selection criteria

Agenda

• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions

Public Identity Services

• Just when you thought you had your internal directory/identity infrastructure resolved…

Business Context

• The issue: using networks to conduct business It’s about inserting your company into customer processes

“just in time” to create and add real value Increases operating efficiencies, solidifies customer

relationships, opens new markets It’s about delivering personalized services to your customers The network is “opening,” creating a dichotomy:

more flexible access, the need for stronger security Inevitable intersection of public, private identity structures Identity and access management, extending to relationship

management, remains a strategic issue Effective infrastructure for managing identities, access

privileges, and relationship information cheaper is crucial

Identity and Access Management

The challenge: interoperability and portability

InternalSystems& Data

Less-known

Partner or xSP

Loosely-coupled,Dynamic exterior

Customers

Tightly-coupled,Persistent interior

Employees

Unknown

Extranets

The Internet

Identity and Access Management (cont.)

InternalSystems& Data

Less-known

Partner or xSP

Federation Externally

Customers

Integration Internally

Employees

Unknown

Extranets

The Internet

The answer

Interoperability and Federation

• Internal enterprise issues have not abated• Too many directories, fragmented identity infrastructure• Error prone, expensive to mange• How can enterprises integrate and leverage what they

have?

• External B2B issues continue to build• Do we have to synchronize every directory on the

planet?• Or can we make identity and entitlements portable? • How will you authenticate users?• Do hierarchical trust models work?• What standards will emerge? And what about privacy?

What Is Federation

• Just what is federation? Webster’s says it’s a noun related to the adjective

“federal,” which it defines as:• Formed by a compact between political units that surrender

their individual sovereignty to a central authority but retain limited residuary powers of government

• Of or constituting a form of government in which power is distributed between a central authority and a number of constituent territorial units

According to Roget’s II, a federation is:• An association, especially of nations for a common cause• A group of people united in a relationship and having

some interest, activity, or purpose in common

Interoperability and Federation

• What do you mean when you say federation? Passport sounds more like the first definition

• A strong central authority with cooperating entities Liberty sounds more like the second definition

• Loose association; contrasting “federated” and “centralized” Neither have said how they’ll really do this

• We eagerly wait meaningful detail• What role will P2P and open source play?• P2P appeals to libertarian sensibilities, but will scale?

And who do I sue when a fully decentralized system fails?• Open source appeals to those who want a level playing

field, but who leads that effort?

Public Identity Services

• There will not be just one• Will force enterprises to address intersection

of enterprise identity/role and public identity If your employees have a Passport or Liberty ID,

can they use it internally? If they need a Passport or Liberty ID to access

external services to do their jobs, how will you manage those IDs?

If a partner’s employees have Passport or Liberty IDs, will you accept them? How will both you and the partner manage those IDs?

Interoperability and Federation

• Some form of federation and interoperability are requirements

Microsoft has proposed Kerberos; SAML is MIA Liberty has released precious few details, but claims

it won’t re-invent the wheel (does that mean SAML?) AOL has quietly rolled out Magic Carpet, but no

word on how federation will work or its intentions to use Liberty

In short, we are only at the beginning of the discussion, but the market will force interoperability

But don’t be surprised when it gets ugly

Integrated Directory Services Enable Federation

Extranet/Internet

IntranetActive

Dir.EnterpriseDirectory

E-bizDirectory

PKI

HR

CustomAppl.

E-mail

Web

ActiveDir.

Meta-Directory

Public Identity Services (Liberty, Passport,

UDDI, Others)

FederatedDirectoryServices(internal)

FederatedI&AM

Services(SAML)

I&AM Services