Transcript Directory Services Market Trends

Directory Services
Market Trends
www.novell.com
Gary Hein
Senior Analyst
Burton Group
[email protected]
Agenda
•
•
•
•
•
Brief introduction
Directory market trends
Meta-directory and provisioning trends
Public identity services
Questions
Who Is Burton Group?
• Burton Group provides integrated consulting,
advisory, and research services to support
technologists who are responsible for decisions
and plans related to network technologies,
services, products, and vendors
• You know us as…
 Jamie
Lewis, CEO and Research Chair
 Dan Blum, SVP and Research Director
 Analysts Gary Hein and Mike Neuenschwander
www.burtongroup.com
Directory Market Roadmap
LDAP matures
creates level
playing field
Innovation
moves beyond
LDAP standards
Developers
and vendors
adopt LDAP
Innovation
around LDAP
decreases
Decision point:
Rely on
directory vendor
or others
to provide next
layer of services?
LDAP servers
become
commodities
Price and
margins
decrease
Directory vendor
provides services
Others provide
services
Directory Market Roadmap
Directory
vendor provides
services
Highly
integrated,
directory
product specific
solutions
New standards emerge,
may be retrofitted
on directory servers
(DSML, SAML)
Others provide
services
To be directoryagnostic, services
must become
more intelligent
(policy, access
controls,
configuration)
Rely on directory vendor
for extended services
(policy, access control,
config.)—potential for
reuse of policy, ACL, etc.
Directory
integratio
n
Directory relegated
to data repository,
so greater choice
in products
LDAP: A Blessing and a Curse
• LDAP v3 has provided a ubiquitous access method
• But most LDAP-enabled applications don’t fully
leverage the directory
 Common:
identity and authentication verification
 Uncommon: policy, access controls, configuration
 Market opinion is that LDAP is “good enough”
and future innovation is unnecessary
• This may relegate directories to nothing more
than an identity store
Has Innovation Ceased?
• Innovation will continue at a different layer,
not driven by the directory vendors
 LDAP—progress
has slowed (if not stopped)
 DSML—Directory Services Markup Language
•
•
•
•
XML wrapper of LDAP functions
Incremental improvement over LDAP
Most implementations for exchange of objects, not live query
No single vendor is driving (like Netscape with LDAP)
 SPML—Service
Provisioning Markup Language
 SAML—Security Assertion Markup Language
 XACML—Extensible Access Control Markup Language
Directory and Infrastructure Vendors
Compete for the Customer
Integrated vs. Best-of-Breed
LDAP
Basic Directory Services
Directory Vendors
…
App
App
App
App
Infrastructure
Vendors
Privilege Management,
Policy, Configuration…
Other APIs/Protocols
Advanced/ Proprietary
“Next-Layer”
Services
Battle for Relevancy
• Higher-level vendors push down on directory
 Directory-independent,
identity repository only
 Provide higher-level services, like ACLs and policy
 Examples
• Netegrity—entering portal and provisioning market
• IBM/Tivoli—suite of identity-related products
• Directory vendors resisting with integrated suites
 Novell:
iChain®, NPS, DirXML™, ZENworks® Synergy
 iPlanet: similar product offerings
 Microsoft: bundled in the Windows .NET Server OS
Directory Decision Point
• Who will you depend on for enhanced services?
 Best-of-breed?
 Directory
vendor(s)?
 Directory middleware?
• Radiant Logic, Calendra, OctetString, Maxware, others
• General metrics
 Application
requirements and integration points
 Centralized or distributed
 Directory skill investment
 Vendor, product, or platform commitment
Agenda
•
•
•
•
•
Brief Introduction
Directory market trends
Meta-directory and provisioning trends
Public identity services
Questions
Meta-directory Market Overview
• Identity crisis: defining “meta-directory”
 Identity
data throughout the enterprise as objects
and attributes
 Link or “join” similar objects and synchronize
attributes and relationships for the objects
 Ensure authoritative data sources are the only writers
 Trigger business processes based on data events
• Similar to other technologies
 Virtual
directory and data access middleware
 Middleware, enterprise application integration
 Resource provisioning
Typical Architecture
Meta-directory Market Overview
• Several vendors are clearly meta-directory
 Critical
Path, iPlanet, MaXware, Metamerge,
Microsoft, Novell, Siemens
• But other sources exist
 Provisioning
vendors overlap to varying degrees
 Professional services solutions and custom software
• Software market was worth about $100 M in 2001
 Professional
services added another $200 M
 Demand is slowly rising and unlikely to diminish
Meta-directory Market Assessment
• No single technology provides the full solution
 Meta-directory—linking
and synchronization
 Virtual directory—views, brokering, access control
 Provisioning—process management and workflow
 Directories—identity and access policies
 Password synchronization—fewer passwords
• Products must evolve and will converge
 Many
meta-directories are too LDAP-centric
 Better “business quality” data handling
 Security, backup, restore, and other risk reduction
 Workflow and business policy engines
Meta-directory Futures
• Near-term: technology improvements
 Better
deployment and administration tools
 Improved usability
 More workflow capabilities and provisioning features
 Synchronization of roles, access controls, groups
 Increase in the minimum set of connectors included
in the product
• Unresolved issues
 Common
data format for connectors? (DSML/XML?)
 Common password format or provider?
 How will the technologies converge?
Meta-directory Product
Considerations and Criteria
• Join engine




Powerful matching rules that are easy to customize
Reusable rules (internal and external to the meta-directory)
Workflow and business process handling
Bi-directional, event-based synchronization (where possible)
• Connectors


Mostly application-specific connectivity with generic accesses
“Live” connectors are usually better than file exchanges
• Overall




Ease of use, manageability, deployment tools
Scalability and performance
Fit with corporate standards, principles, and expertise
Software price is not a good selection criteria
Agenda
•
•
•
•
•
Brief Introduction
Directory market trends
Meta-directory and provisioning trends
Public identity services
Questions
Public Identity Services
• Just when you thought you had your internal
directory/identity infrastructure resolved…
Business Context
• The issue: using networks to conduct business







It’s about inserting your company into customer processes
“just in time” to create and add real value
Increases operating efficiencies, solidifies customer
relationships, opens new markets
It’s about delivering personalized services to your customers
The network is “opening,” creating a dichotomy:
more flexible access, the need for stronger security
Inevitable intersection of public, private identity structures
Identity and access management, extending to relationship
management, remains a strategic issue
Effective infrastructure for managing identities, access
privileges, and relationship information cheaper is crucial
Identity and Access Management
The challenge: interoperability and portability
Tightly-coupled,
Persistent interior
Loosely-coupled,
Dynamic exterior
Extranets
Internal
Systems
& Data
Employees
The Internet
Partner or xSP
Customers
Less-known
Unknown
Identity and Access Management
(cont.)
The answer
Integration Internally
Federation Externally
Extranets
Internal
Systems
& Data
Employees
The Internet
Partner or xSP
Customers
Less-known
Unknown
Interoperability and Federation
• Internal enterprise issues have not abated
• Too many directories, fragmented identity infrastructure
• Error prone, expensive to mange
• How can enterprises integrate and leverage what they have?
• External B2B issues continue to build
•
•
•
•
•
Do we have to synchronize every directory on the planet?
Or can we make identity and entitlements portable?
How will you authenticate users?
Do hierarchical trust models work?
What standards will emerge? And what about privacy?
What Is Federation
• Just what is federation?
 Webster’s
says it’s a noun related to the adjective
“federal,” which it defines as:
• Formed by a compact between political units that surrender
their individual sovereignty to a central authority but retain
limited residuary powers of government
• Of or constituting a form of government in which power
is distributed between a central authority and a number
of constituent territorial units
 According
to Roget’s II, a federation is:
• An association, especially of nations for a common cause
• A group of people united in a relationship and having
some interest, activity, or purpose in common
Interoperability and Federation
• What do you mean when you say federation?
 Passport
sounds more like the first definition
• A strong central authority with cooperating entities
 Liberty
sounds more like the second definition
• Loose association; contrasting “federated” and “centralized”
 Neither
have said how they’ll really do this
• We eagerly wait meaningful detail
• What role will P2P and open source play?
• P2P appeals to libertarian sensibilities, but will scale?
And who do I sue when a fully decentralized system fails?
• Open source appeals to those who want a level playing
field, but who leads that effort?
Public Identity Services
• There will not be just one
• Will force enterprises to address intersection
of enterprise identity/role and public identity
 If
your employees have a Passport or Liberty ID,
can they use it internally?
 If they need a Passport or Liberty ID to access
external services to do their jobs, how will you
manage those IDs?
 If a partner’s employees have Passport or Liberty IDs,
will you accept them? How will both you and the
partner manage those IDs?
Interoperability and Federation
• Some form of federation and interoperability
are requirements
 Microsoft
has proposed Kerberos; SAML is MIA
 Liberty has released precious few details, but claims
it won’t re-invent the wheel (does that mean SAML?)
 AOL has quietly rolled out Magic Carpet, but no
word on how federation will work or its intentions
to use Liberty
 In short, we are only at the beginning of the
discussion, but the market will force interoperability
 But don’t be surprised when it gets ugly
Integrated Directory Services
Enable Federation
Federated
Directory
Services
(internal)
Intranet
Custom
Appl.
HR
PKI
Federated
I&AM
Services
(SAML)
Extranet/Internet
E-mail
MetaDirectory
Active
Dir.
Enterprise
Directory
E-biz
Directory
I&AM Services
Web
Active
Dir.
Public Identity
Services
(Liberty, Passport,
UDDI, Others)