1 Introduction
With all the innovation in other components of the IAM stack it’s easy to dismiss the directory of user identities as simply a repository. Yes, it should be reliable, it should have an LDAP interface and it should be secure, but basically it’s just a database. This dismissal is shortsighted, however, as it ignores the potential of the Directory to serve an integrating function that maximizes the value of one of the most critical assets of today’s large enterprises: their diverse collection of identity information.
In the past, companies had large enterprise directories that they used to manage all their staff and contractors. The directory was typically provisioned from the HR system or contractor management system and was used to control access to corporate applications. Then along came Microsoft AD, which became the authentication source for employee access to the corporate network, on-premise Windows apps and print services. Some organizations tried to make AD their enterprise directory but this never quite worked. An authentication directory and an enterprise directory have different priorities. The former is a mission critical piece of infrastructure with administrators who, quite rightly, can be very restrictive about modifications to the system like schema changes. The other should be a business-focused application flexible enough to accommodate rapidly changing and quite variable requirements of line-of-business applications, reorganizations, and compliance. In an enterprise directory, if an additional attribute is required, or if an application moves to the Cloud, or there’s a merger, there should be no constraints on how or when identity information can be structured or presented.
The Cloud, mobility and the requirement to support the hybrid computing environment have made managing identity information significantly more complex. We now have multiple applications in the Cloud that need identity information, but proliferating identity stores in the Cloud is a significant corporate risk. Moreover, enterprises want to have a unified view of both their employees and customers, but relevant information on the same individual are created and maintained in multiple databases or directories, the designed functions of which do not include feeding an enterprise identity repository.
As the amount of identity information collected and used by enterprises grows—in volume, variety of individual attributes, and number of information sources and consuming systems—identity information quality has emerged as a distinct management issue. Lack of systems and processes to maintain identity information quality exposed the enterprise to both security and compliance risks. It also leaves the enterprise dependent on slow and costly manual or custom-scripted methods for synchronizing identity information across diverse source and consuming systems.
So where does this leave the Directory? Quite possibly, it should be firmly in the center of the enterprise IAM architecture. It should be the unified “source of truth” for all identity attributes of an individual that are known to the enterprise. It must be able to model complex (and changing) relationships between persons, roles, work groups, devices and things. It must support a variety of protocols both for output to applications and for input from sources of identity information. It must be able to determine when identity information in different systems refers to the same individual despite lack of a common record identifier. It must be able to perform transformation of formats and attribute semantics. It must keep identity information in multiple source and consuming systems in synch automatically. It must scale to accommodate customer identity information as well as that of employees wherever located. And it must be current, available, and fast.
Radiant Logic is headquartered in Novato, California (near San Francisco), with other US offices in New York, Washington DC and Chicago, and offices in Barcelona with partnerships throughout Europe. It was founded in 2000 and pioneered the idea of the “virtual directory.” A virtual directory uses caching and identifier-matching techniques to bring together at access-request time and serve to an application user identity information from multiple repositories, without ever instantiating all user identity information as a separate repository. Radiant Logic’s target market is Fortune-1000 companies that typically have widely distributed operations and many diverse repositories of employee and customer identity information. The company claims 145 customers, with about 80 percent of its business in the US. Radiant Logic is designed to work in conjunction with other IAM products: for example, it does not offer core IAM functions like authentication or application-account provisioning. Given this positioning it is often brought in to a project by a technology partner—an IAM suite vendor or an integrator—to deal with particularly complex environments without requiring the creation of customized coding or scripting to integrate systems and normalize identity data across the enterprise.