Directory Services Market Trends

www.novell.com

Directory Services Market TrendsDirectory Services Market Trends

Gary HeinSenior AnalystBurton [email protected]

Agenda

• Brief Introduction• Directory market trends• Meta-directory and provisioning trends• Public identity services• Questions

Who is Burton Group?

• Burton Group provides integrated consulting, advisory, and research services to support technologists who are responsible for decisions and plans related to network technologies, services, products, and vendors

• You know us as…. Jamie Lewis, CEO and Research Chair Dan Blum, SVP and Research Director Analysts Gary Hein and Mike Neuenschwanderwww.burtongroup.com

Directory Market Roadmap

Directory vendor provides servicesDirectory vendor provides services

Others provide services


LDAP matures creates level playing field

Developers and vendors adopt

LDAP

LDAP servers become

commodities

Price and margins

decrease

Innovation around LDAP

decreases

Innovation moves beyond

LDAP standards

Decision Point:

Rely on directory vendor

or others to provide next

layer of services?

Rely on directory vendor for extended services

(policy, access control, config). Potential for

reuse of policy, ACL, etc.

Rely on directory vendor for extended services

(policy, access control, config). Potential for

reuse of policy, ACL, etc.

Directory relegated to data repository, so greater choice in

products

Directory relegated to data repository, so greater choice in

products

Directory Market Roadmap

Directory Integratio

n

Directory Integratio

n

New standards emerge, may be retrofitted on

directory servers (DSML, SAML)

New standards emerge, may be retrofitted on

directory servers (DSML, SAML)

Directory vendor provides

services

Highly integrated, directory

product specific solutions


To be directory-agnostic, services

must become more intelligent (policy, access

controls, configuration)

LDAP: A Blessing and a Curse

• LDAP v3 has provided a ubiquitous access method

• But most LDAP-enabled applications don’t fully leverage the directory

Common: identity and authentication verification Uncommon: policy, access controls, configuration Market opinion is that LDAP is “good enough” and

future innovation is unnecessary

• This may relegate directories to nothing more than an identity store

Has Innovation Ceased?

• Innovation will continue at a different layer, NOT driven by the directory vendors

LDAP – progress has slowed (if not stopped) DSML – Directory Services Markup Language

• XML wrapper of LDAP functions• Incremental improvement over LDAP• Most implementations for exchange of objects, not live

queryNo single vendor is driving (like NetScape with LDAP) SPML – Service Provisioning Markup Language SAML – Security Assertion Markup Language XACML – Extensible Access Control Markup Language

Basic Directory Services

LDAP Other APIs / Protocols

Directory and Infrastructure Vendors Compete for the Customer

Advanced/ Proprietary D

irec

tory

Ven

do

rsInfrastru

cture

Ven

do

rs

App

App

App

App

…Privilege Management, Policy, Configuration…

“Next-Layer” Services

Integrated vs. Best-of-Breed

Battle for Relevancy

• Higher-level vendors push down on directory Directory-independent, identity repository only Provide higher-level services, like ACLs and policy Examples

• Netegrity – entering portal and provisioning market• IBM / Tivoli – suite of identity-related products

• Directory vendors resisting with integrated suites

Novell: iChain, NPS, DirXML, ZENworks Synergy iPlanet: similar product offerings Microsoft: bundled in the Windows .NET Server OS

Directory Decision Point

• Who will you depend on for enhanced services? Best-of-breed? Directory vendor(s)? Directory middleware?

• Radiant Logic, Calendra, OctetString, Maxware, others

• General metrics Application requirements and integration points Centralized or distributed Directory skill investment Vendor, product, or platform commitment

Agenda


Meta-directory Market Overview

• Identity crisis: defining “meta-directory” Identity data throughout the enterprise as objects and

attributes Link or “join” similar objects and synchronize

attributes and relationships for the objects Ensure authoritative data sources are the only writers Trigger business processes based on data events

• Similar to other technologies Virtual directory and data access middleware Middleware, enterprise application integration Resource provisioning

Typical Architecture

Meta-directory Market Overview

• Several vendors are clearly meta-directory Critical Path, iPlanet, MaXware, Metamerge,

Microsoft, Novell, Siemens

• But other sources exist Provisioning vendors overlap to varying degrees Professional services solutions and custom software

• Software market was worth about $100 M in 2001

Professional services added another $200 M Demand is slowly rising and unlikely to diminish

Meta-directory Market Assessment

• No single technology provides the full solution Meta-directory - linking and synchronization Virtual directory - views, brokering, access control Provisioning - process management and workflow Directories - identity and access policies Password synchronization - fewer passwords

• Products must evolve and will converge Many meta-directories are too LDAP-centric Better “business quality” data handling Security, backup, restore, and other risk reduction Workflow and business policy engines

Meta-directory Futures

• Near-term: technology improvements Better deployment and administration tools Improved usability More workflow capabilities and provisioning features Synchronization of roles, access controls, groups Increase in the minimum set of connectors included in

the product

• Unresolved issues Common data format for connectors? (DSML/XML?) Common password format or provider? How will the technologies converge?

Meta-directory Product Considerations and Criteria

Join engine• Powerful matching rules that are easy to customize• Reusable rules (internal and external to the meta-directory)• Workflow and business process handling• Bi-directional, event-based synchronization (where possible)

Connectors• Mostly application-specific connectivity with generic accesses• “Live” connectors are usually better than file exchanges

Overall• Ease of use, manageability, deployment tools• Scalability and performance• Fit with corporate standards, principles, and expertise• Software price is not a good selection criteria!

Agenda


Public Identity Services

• Just when you thought you had your internal directory/identity infrastructure resolved….

Business Context

The issue: Using networks to conduct business• It’s about inserting your company into customer processes

“just in time” to create and add real value• Increases operating efficiencies, solidifies customer

relationships, opens new markets• It’s about delivering personalized services to your customers• The network is “opening,” creating a dichotomy: more

flexible access, the need for stronger security• Inevitable intersection of public, private identity structures• Identity and access management, extending to relationship

management, remains a strategic issue• Effective infrastructure for managing identities, access

privileges, and relationship information cheaper is crucial

Identity and Access Management

The challenge: Interoperability and portability

InternalSystems& Data

Less-knownPartner or xSP

Loosely-coupled,Dynamic exterior

Customers

Tightly-coupled,Persistent interior

Employees Unknown

Extranets

The Internet

Identity and Access Management

The answer

InternalSystems& Data

Less-knownPartner or xSP

Federation Externally

Customers

Integration Internally

Employees Unknown

Extranets

The Internet

Interoperability and Federation

• Internal enterprise issues have not abated• Too many directories, fragmented identity

infrastructure• Error prone, expensive to mange• How can enterprises integrate and leverage what

they have?

• External B2B issues continue to build• Do we have to synchronize every directory on the

planet?• Or can we make identity and entitlements portable? • How will you authenticate users?• Do hierarchical trust models work?• What standards will emerge? And what about

privacy?

What is Federation

• Just what is federation? Webster’s says it’s a noun related to the adjective

“federal,” which it defines as:• Formed by a compact between political units that surrender

their individual sovereignty to a central authority but retain limited residuary powers of government;

• Of or constituting a form of government in which power is distributed between a central authority and a number of constituent territorial units

According to Roget’s II, a federation is• An association, especially of nations for a common cause• A group of people united in a relationship and having some

interest, activity, or purpose in common


• What do you mean when you say federation? Passport sounds more like the first definition

• A strong central authority with cooperating entities Liberty sounds more like the second definition

• Loose association; contrasting “federated” and “centralized” Neither have said how they’ll really do this

• We eagerly wait meaningful detail• What role will P2P and open source play?• P2P appeals to libertarian sensibilities, but will scale? And

who do I sue when a fully decentralized system fails?• Open source appeals to those who want a level playing field,

but who leads that effort?.

Public Identity Services

• There will not be just one• Will force enterprises to address intersection

of enterprise identity/role and public identity If your employees have a Passport or Liberty ID,

can they use it internally? If they need a Passport or Liberty ID to access

external services to do their jobs, how will you manage those IDs?

If a partner’s employees have Passport or Liberty IDs, will you accept them? How will both you and the partner manage those IDs?


• Some form of federation and interoperability are requirements

Microsoft has proposed Kerberos; SAML is MIA Liberty has released precious few details, but claims

it won’t re-invent the wheel (does that mean SAML?) AOL has quietly rolled out Magic Carpet, but no word

on how federation will work or its intentions to use Liberty

In short, we are only at the beginning of the discussion, but the market will force interoperability

But don’t be surprised when it gets ugly

Integrated Directory Services Enable Federation

Extranet/Internet

IntranetActive

Dir.EnterpriseDirectory

E-bizDirectory

PKI

HR

Custom

Appl.

E-mail

Web

Active

Dir.

Meta-

Directory

Public Identity Services (Liberty,

Passport,UDDI, Others)

FederatedDirectoryServices(internal)

FederatedI&AM

Services(SAML)

I&AM Services

Documents

Directory Services Market Trends