I recently attended the Gartner Identity and Access Management (IAM) Summit, sort of a three-day nerdvana for identity professionals. Though it's a relatively narrowly focused topic, identity permeates all aspects of modern computing, and this was reflected in the robust attendance; more than 800 attendees filled the halls of the conference center.
Even though the Gartner research firm hosts the conference and provides lots of one-on-one analyst time for its clients attending the conference, it's not restricted to clients. As evidenced by the high blazer-to-beard ratio, however, it is a more upscale event than your average IT pro or security conference. (I also detected a slight yet disturbing increase in Frank Zappa-like beards.) Gartner analysts have the luxury of interviewing many customers about their technologies, then going off and thinking about the data they’ve gathered—an amount of market research that most of us don't have time for. You might not agree with everything Gartner has to say, but it’s as informed a viewpoint as anyone’s out there. In this month's column, I'd like to review a couple of sessions that focused on Active Directory (AD)-related topics.
A session that naturally piqued my interest was IAM in an Active Directory-Centric Universe by Perry Carpenter and Andrew Walls. The first fact presented in the session got my attention: Despite AD’s ubiquitous presence in the enterprise, Microsoft Forefront Identity Manager (FIM) is the strategic IAM system for fewer than 15 percent of enterprises. There's more activity around virtual directories nowadays than metadirectories. Carpenter and Walls agree with this; they say that virtual directories, such as Radiant Logic's RadiantOne Virtual Directory Server, are less complex to implement, they leave the data where it is in different repositories instead of bringing it all up to a metaverse, and they can offer better performance than a metadirectory service.
Regardless of how widely deployed FIM is, AD remains the 800lb gorilla of enterprise identity stores. It’s everywhere. As a result, any IAM solution—whether on premises or in the cloud—must be able to deal with AD securely and seamlessly. Because of AD’s dominance in the enterprise authentication market, Carpenter and Walls stated that “Microsoft has a unique opportunity to shape the way identity will be managed and used in the next decade.”
Though less talked about today, metadirectory services are still very much with us in the guise of the directory synchronization server. To explain, let me provide just a little bit of context. Last month, in “SCIM Simplifies Cloud Service Identity Provisioning” (InstantDoc ID141564), I talked about the four A's of cloud identity: authentication, accounts, authorization, and auditing. Accounts describes account provisioning, the need to make user identities available to a cloud service so they can use the service. The directory sync server is one of several methods available today to accomplish this task. A synchronization server is (generally) an on-premises server that synchronizes users and groups between an enterprise IAM solution and a cloud service. The sync server monitors the content of, for example, an AD organizational unit (OU) or security group, and keeps it in sync with the identity store of a cloud service. Users and groups are provisioned, or deprovisioned, from the service as they’re added to the OU. Google Apps and Microsoft are two prominent examples of SaaS applications that use directory-synchronization servers. Remember that, from the enterprise side, directory synchronization handles only account provisioning; you still must implement a federation solution with the SaaS provider to handle authentication of these accounts.
As technologists, we think of AD as a foundational piece of a company’s IT infrastructure that provides integrated authentication and authorization for Windows computers (and more, if you buy extra bits). Microsoft marketers see AD, however, as glue (as evidenced by the term "AD-integrated") that ties other Microsoft products together in a way that makes them highly competitive against third-party solutions.
One result of this outlook is that AD enhancements that don’t help sell other Microsoft products will take a back burner to enhancements that do. A great example is AD bridge products that allow UNIX and Linux computers to authenticate to an AD domain, thus simplifying the security environment. Microsoft has never expanded AD into this area, remaining content to allow third parties to add this capability. It’s not hard to argue that time spent developing this capability natively would have little direct benefit to selling Microsoft products.
Another example is the movement to the cloud, where Microsoft is just another player in the market, rather than the dominant player. Microsoft provides Active Directory Federation Services (AD FS) for on-premises cloud identity, but enterprises are also looking at a new breed of identity applications (e.g., Identity as a Service—IDaaS) that hook into AD to provide the same functionality. Gartner’s position is that a complete IAM solution will always be a combination of native Microsoft applications, such as AD and perhaps AD FS for cloud identity or FIM for metadirectory and certificate services, and non-Microsoft apps such as AD bridges for UNIX clients, virtual directories for tying in other identity sources, privileged access management tools for governance, and lifecycle management tools to manage the digital identities themselves.
The second presentation I want to highlight, Head in the Clouds: The Evolution of Directory Services by Mark Diodati, provided a terrific overview of the bewildering complexity of ways a directory service can be connected to a cloud service. Imagine a jigsaw puzzle in which the pieces are AD, on-premises identity provider federation services, cloud-based service provider federation services, IDaaS, virtual directories, directory synchronization servers, web applications … and don’t forget the user in all this!
Then, attach these pieces to one another with the glue of Kerberos, SAML, federated trusts, proprietary vendor APIs, and different provisioning methods. The enterprise identity architect of the future (i.e., next week!) needs to understand how all these puzzle pieces can be arranged to accomplish an enterprise’s cloud identity requirements.
And that’s not all. These pieces all vary in the maturity of their solutions and their ability to integrate with one another. Authentication solutions are more mature than provisioning, and both have been around longer than governance.
Diodati groups these pieces into three broad categories—to the cloud, in the cloud, and from the cloud—then arranges them into typical use cases.
To the cloud represents the use cases we’re most familiar with, that of enterprises with on-premises identity (i.e., AD) that want to extend these identities to cloud applications using some kind of identity provisioning (e.g., directory sync) and an on-premises federation solution for authentication.
- In the cloud focuses on use cases for companies that have little or no on-premises IT infrastructure. These companies use IDaaS providers, such as Okta, that can have no on-premises components at all. The identity store is in the cloud, users authenticate to that cloud service, and once in, they use the service's built-in federation identity provider component to authenticate to the actual SaaS application.
- From the cloud describes the emerging use cases for companies that have their identities (or some portion thereof) in the cloud and want those identities provisioned down into on-premises applications. This is more or less the opposite configuration of to the cloud and is still very new and full of challenges. The first challenge, of course, is that few established companies today are willing to store their precious identity data in the cloud in the first place. A more likely use case is that of a company that already has a cloud service provider such as Google Apps as its authoritative identity source. If the company should eventually need an on-premises application, that company must get the identities down to the application using, for example, a virtual directory that presents them to the app via the LDAP interface the app expects.
According to Diodati, federation identity providers have become so common in the IAM arena that they're now just "table stakes" to be in the market. Whether it's traditional all-in-one IAM solutions from CA or Oracle, dedicated on-premises cloud identity solutions from Ping Identity, virtual directory solutions, or IDaaS solutions, all now have a federated identity provider component. He believes the differentiator between these products is how directory-service and service-provider functions are beginning to work in both directions, so identity becomes another core IT function that's freed from the firewall.
In the end, Diodati had three straightforward recommendations. First, he joined the chorus of identity professionals recommending banishment of the password. (His exact words were, "Passwords suck!"—an observation right up there with Jeremy Grant's "We think the password needs to be shot.") To achieve this banishment, however, you must learn how to implement strong authentication methods (e.g., smart cards, hardware tokens).
Second, he said to accept the reality of directory synchronization. Though it's less technically elegant than just-in-time identity creation, service providers aren’t going to depend on your off-premise identity for the health of their application. They want their own copy. What this makes me wonder, though, is how this will scale when a company uses hundreds or even thousands of SaaS providers? We'll need some kind of general-purpose sync engine that can handle many providers, not a dedicated server per provider.
Finally, he recommended that you track technological developments in this area, because they continue to evolve as cloud identity matures. You've gotten to the bottom of this column, so you get a gold star for effort on this recommendation!
What About You?
What do you think about these predictions? Are you using a metadirectory or a virtual directory to consolidate your identity sources—or are you using both? How are you progressing in the campaign to banish the password? As the professionals that live with this from day to day, I'd really like to know your take.