Upload
evelia
View
33
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Directory Services Market Trends. Gary Hein Senior Analyst Burton Group [email protected]. Agenda. Brief Introduction Directory market trends Meta-directory and provisioning trends Public identity services Questions. Who is Burton Group?. - PowerPoint PPT Presentation
Citation preview
www.novell.com
Directory Services Market TrendsDirectory Services Market Trends
Gary HeinSenior AnalystBurton [email protected]
Agenda
• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Who is Burton Group?
• Burton Group provides integrated consulting, advisory, and research services to support technologists who are responsible for decisions and plans related to network technologies, services, products, and vendors
• You know us as…. Jamie Lewis, CEO and Research Chair Dan Blum, SVP and Research Director Analysts Gary Hein and Mike Neuenschwanderwww.burtongroup.com
Directory Market Roadmap
Directory vendor provides servicesDirectory vendor provides services
Others provide services
Others provide services
LDAP matures creates level playing field
Developers and vendors adopt
LDAP
LDAP servers become
commodities
Price and margins
decrease
Innovation around LDAP
decreases
Innovation moves beyond
LDAP standards
Decision Point:
Rely on directory vendor
or others to provide next
layer of services?
Rely on directory vendor for extended services
(policy, access control, config). Potential for
reuse of policy, ACL, etc.
Rely on directory vendor for extended services
(policy, access control, config). Potential for
reuse of policy, ACL, etc.
Directory relegated to data repository, so greater choice in
products
Directory relegated to data repository, so greater choice in
products
Directory Market Roadmap
Directory Integratio
n
Directory Integratio
n
New standards emerge, may be retrofitted on
directory servers (DSML, SAML)
New standards emerge, may be retrofitted on
directory servers (DSML, SAML)
Directory vendor provides
services
Highly integrated, directory
product specific solutions
Others provide services
To be directory-agnostic, services
must become more intelligent (policy, access
controls, configuration)
LDAP: A Blessing and a Curse
• LDAP v3 has provided a ubiquitous access method
• But most LDAP-enabled applications don’t fully leverage the directory
Common: identity and authentication verification Uncommon: policy, access controls, configuration Market opinion is that LDAP is “good enough” and
future innovation is unnecessary
• This may relegate directories to nothing more than an identity store
Has Innovation Ceased?
• Innovation will continue at a different layer, NOT driven by the directory vendors
LDAP – progress has slowed (if not stopped) DSML – Directory Services Markup Language
• XML wrapper of LDAP functions• Incremental improvement over LDAP• Most implementations for exchange of objects, not live
queryNo single vendor is driving (like NetScape with LDAP) SPML – Service Provisioning Markup Language SAML – Security Assertion Markup Language XACML – Extensible Access Control Markup Language
Basic Directory Services
LDAP Other APIs / Protocols
Directory and Infrastructure Vendors Compete for the Customer
Advanced/ Proprietary D
irec
tory
Ven
do
rsInfrastru
cture
Ven
do
rs
App
App
App
App
…Privilege Management, Policy, Configuration…
“Next-Layer” Services
Integrated vs. Best-of-Breed
Battle for Relevancy
• Higher-level vendors push down on directory Directory-independent, identity repository only Provide higher-level services, like ACLs and policy Examples
• Netegrity – entering portal and provisioning market• IBM / Tivoli – suite of identity-related products
• Directory vendors resisting with integrated suites
Novell: iChain, NPS, DirXML, ZENworks Synergy iPlanet: similar product offerings Microsoft: bundled in the Windows .NET Server OS
Directory Decision Point
• Who will you depend on for enhanced services? Best-of-breed? Directory vendor(s)? Directory middleware?
• Radiant Logic, Calendra, OctetString, Maxware, others
• General metrics Application requirements and integration points Centralized or distributed Directory skill investment Vendor, product, or platform commitment
Agenda
• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Meta-directory Market Overview
• Identity crisis: defining “meta-directory” Identity data throughout the enterprise as objects and
attributes Link or “join” similar objects and synchronize
attributes and relationships for the objects Ensure authoritative data sources are the only writers Trigger business processes based on data events
• Similar to other technologies Virtual directory and data access middleware Middleware, enterprise application integration Resource provisioning
Typical Architecture
Meta-directory Market Overview
• Several vendors are clearly meta-directory Critical Path, iPlanet, MaXware, Metamerge,
Microsoft, Novell, Siemens
• But other sources exist Provisioning vendors overlap to varying degrees Professional services solutions and custom software
• Software market was worth about $100 M in 2001
Professional services added another $200 M Demand is slowly rising and unlikely to diminish
Meta-directory Market Assessment
• No single technology provides the full solution Meta-directory - linking and synchronization Virtual directory - views, brokering, access control Provisioning - process management and workflow Directories - identity and access policies Password synchronization - fewer passwords
• Products must evolve and will converge Many meta-directories are too LDAP-centric Better “business quality” data handling Security, backup, restore, and other risk reduction Workflow and business policy engines
Meta-directory Futures
• Near-term: technology improvements Better deployment and administration tools Improved usability More workflow capabilities and provisioning features Synchronization of roles, access controls, groups Increase in the minimum set of connectors included in
the product
• Unresolved issues Common data format for connectors? (DSML/XML?) Common password format or provider? How will the technologies converge?
Meta-directory Product Considerations and Criteria
Join engine• Powerful matching rules that are easy to customize• Reusable rules (internal and external to the meta-directory)• Workflow and business process handling• Bi-directional, event-based synchronization (where possible)
Connectors• Mostly application-specific connectivity with generic accesses• “Live” connectors are usually better than file exchanges
Overall• Ease of use, manageability, deployment tools• Scalability and performance• Fit with corporate standards, principles, and expertise• Software price is not a good selection criteria!
Agenda
• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions
Public Identity Services
• Just when you thought you had your internal directory/identity infrastructure resolved….
Business Context
The issue: Using networks to conduct business• It’s about inserting your company into customer processes
“just in time” to create and add real value• Increases operating efficiencies, solidifies customer
relationships, opens new markets• It’s about delivering personalized services to your customers• The network is “opening,” creating a dichotomy: more
flexible access, the need for stronger security• Inevitable intersection of public, private identity structures• Identity and access management, extending to relationship
management, remains a strategic issue• Effective infrastructure for managing identities, access
privileges, and relationship information cheaper is crucial
Identity and Access Management
The challenge: Interoperability and portability
InternalSystems& Data
Less-knownPartner or xSP
Loosely-coupled,Dynamic exterior
Customers
Tightly-coupled,Persistent interior
Employees Unknown
Extranets
The Internet
Identity and Access Management
The answer
InternalSystems& Data
Less-knownPartner or xSP
Federation Externally
Customers
Integration Internally
Employees Unknown
Extranets
The Internet
Interoperability and Federation
• Internal enterprise issues have not abated• Too many directories, fragmented identity
infrastructure• Error prone, expensive to mange• How can enterprises integrate and leverage what
they have?
• External B2B issues continue to build• Do we have to synchronize every directory on the
planet?• Or can we make identity and entitlements portable? • How will you authenticate users?• Do hierarchical trust models work?• What standards will emerge? And what about
privacy?
What is Federation
• Just what is federation? Webster’s says it’s a noun related to the adjective
“federal,” which it defines as:• Formed by a compact between political units that surrender
their individual sovereignty to a central authority but retain limited residuary powers of government;
• Of or constituting a form of government in which power is distributed between a central authority and a number of constituent territorial units
According to Roget’s II, a federation is• An association, especially of nations for a common cause• A group of people united in a relationship and having some
interest, activity, or purpose in common
Interoperability and Federation
• What do you mean when you say federation? Passport sounds more like the first definition
• A strong central authority with cooperating entities Liberty sounds more like the second definition
• Loose association; contrasting “federated” and “centralized” Neither have said how they’ll really do this
• We eagerly wait meaningful detail• What role will P2P and open source play?• P2P appeals to libertarian sensibilities, but will scale? And
who do I sue when a fully decentralized system fails?• Open source appeals to those who want a level playing field,
but who leads that effort?.
Public Identity Services
• There will not be just one• Will force enterprises to address intersection
of enterprise identity/role and public identity If your employees have a Passport or Liberty ID,
can they use it internally? If they need a Passport or Liberty ID to access
external services to do their jobs, how will you manage those IDs?
If a partner’s employees have Passport or Liberty IDs, will you accept them? How will both you and the partner manage those IDs?
Interoperability and Federation
• Some form of federation and interoperability are requirements
Microsoft has proposed Kerberos; SAML is MIA Liberty has released precious few details, but claims
it won’t re-invent the wheel (does that mean SAML?) AOL has quietly rolled out Magic Carpet, but no word
on how federation will work or its intentions to use Liberty
In short, we are only at the beginning of the discussion, but the market will force interoperability
But don’t be surprised when it gets ugly
Integrated Directory Services Enable Federation
Extranet/Internet
IntranetActive
Dir.EnterpriseDirectory
E-bizDirectory
PKI
HR
Custom
Appl.
Web
Active
Dir.
Meta-
Directory
Public Identity Services (Liberty,
Passport,UDDI, Others)
FederatedDirectoryServices(internal)
FederatedI&AM
Services(SAML)
I&AM Services