A new take on crowd control

Can virtual directories help managers impose order on unruly directories?

Whether they must quickly deploy a new e-government  application or comply with a governmentwide order such as Homeland Security Presidential Directive 12 for secure identity cards, agency managers generally would prefer to have one convenient place to keep their employees’ personal identity information.

The most common way to provide such a unified view has been to copy the identity data from various application databases and directories that store such information, integrate it in a central repository and then create mechanisms to make sure the data is synchronized with those original sources. However, those procedures are expensive, time-consuming to set up and prone to error.

That’s why some agencies are giving virtual directories a closer look.

A virtual directory offers an aggregated view of personal identity data from multiple sources without someone having to go through procedures to physically collect and synchronize the data. Sold as a single product from vendors such as Radiant Logic and Symlabs, or as a component of a larger identity management suite, a virtual directory uses middleware to automatically access the data in separate sources and present a unified view of it through a single interface based on user preferences.

Some critics point out that because virtual directories introduce a layer of software between the user and the data, they can exact performance penalties. However, managers who have embraced virtual directories say the applications that depend on them can be deployed quickly at a relatively low cost.

Because virtual directories don’t require physical duplication and manipulation of data, they sidestep the problems of data ownership that have plagued many metadirectory projects. Organizations can allow others to gain access to their data according to policies they set. They never have to give up possession of their data.

The Defense Information Systems Agency faced challenges of data ownership, security and privacy when DISA created its Anti-Drug Network. ADnet supports secure collaboration and data exchanges among many organizations responsible for drug interdiction. ADnet program officials wanted to give authorized users access to personal contact and profile information that other organizations managed. But they also wanted to avoid having to copy and synchronize that data in a centralized directory, according to officials at Booz Allen Hamilton, an integrator on the project.

ADnet’s Virtual Directory Server software from Radiant Logic collects and presents identity data in a read-only format, a solution that allows directory owners to enforce their own policies for data access and data integrity.

Officials at the Energy Department’s Sandia National Laboratories said they have similar reasons for wanting virtual directories. Sandia also uses Radiant Logic’s software.

“We’ve used them to fulfill specific customer requests where they’ve needed access to data but were limited by the applications they had,” said Bill Claycombe, a software analyst at Sandia. “The only place that data could be found was in databases they couldn’t get to.”

Officials at Sandia created a virtual directory where authorized users could get information they needed. They also began using virtual directories to provide selected contact information about Sandia employees to outside organizations, such as other national laboratories.

“We don’t want to provide them with the actual data” for privacy reasons, Claycombe said. “A virtual directory allows them to have the [contact] information they need without having to give the data out.”

Another benefit of virtual directories is that organizations with mature business processes can use those directories for building new applications without duplicating a lot of work, said Dieter Schuller, vice president of sales and business development at Radiant.

“A virtual directory allows them to leverage their existing assets and to take what’s there and work with that,” Schuller said. “It provides the data in a way that their current applications want it to look. Because of that, the implementation time for any new project is substantially reduced.”

That type of flexibility is becoming increasingly important as agencies are feeling pressure to provide broader communities of interest (COIs) with access to applications, said Peter Doolan, vice president of sales consulting at Oracle Public Sector. That company offers a product called Oracle Virtual Directory.

Agencies are often interested in collaborating with other government and industry partners through technologies such as Web portals. Many would like to provide COIs access to data on demand, Doolan said.

In other scenarios, agencies that manage emergency situations would like to quickly establish identity infrastructures for large COIs, and then just as quickly tear them down. Those are not easy tasks with the directory technologies that agencies have used in the past, Doolan said.

A widely used technical standard known as Lightweight Directory Access Protocol was created in a context of well-defined and accountable infrastructures, Doolan said. “We are in a new world that is much more ad hoc,” Doolan said. “It’s not tenable now to go through the kind of lengthy processes we used in the past,” he added.

Of course, not everyone sees a value in virtual directories. Their value depends on what others mean by virtualization, said Ivan Hurtt, product marketing manager at Novell. True virtualization means that no data is stored locally. True virtualization can create performance problems, he said, because virtual directory software must continually access remote sources of data to keep the directory up-to-date.

“In order to get any level of performance [for a virtual directory], you need to cache at least some of the data locally, and once you do that, you are past the point of true virtualization,” Hurtt said. At that point, you also need other software tools, such as data verification tools, he added.

Virtual directories are useful, but in a limited role, said Earl Perkins, research vice president at Gartner’s security and privacy team and a former director of security and identity market research at Microsoft. Virtual directories are effective when used with other tools that provide certain levels of authentication and management, he said.

“Government agencies that buy virtual directories would also have to supplement them with other things to harden them,” Perkins said, which is why virtual directories should, in most cases, not be viewed as applications that stand on their own. Typically their role is to extend the functionality of existing metadirectories, he said.

The problem with  current virtual directory solutions is that they do not go far enough, said Deepak Taneja, founder, president and chief executive officer of Aveksa, an identity management and security compliance company.

“Virtual directories are designed to collect identities, but you can’t virtualize entitlements,” Taneja said. “They can provide the who, but not the who-has-access-to-what part. For that, you need a broader solution.”

In their current form, virtual directories can be applied to small problems, Taneja said. The next generation must be able to do more than identify people and resources. They must be able to enforce rules for what people are approved to do based on the roles they have in their organizations. “That’s where the [identity and access management] industry is going,” Taneja said.
Two choices for one viewThere are two ways to create a unified view of employee identity information stored in multiple online directories or databases: metadirectories or virtual directories. Here are the differences.

Metadirectory
A metadirectory is a centralized directory of personal identity information that synchronizes information from several databases and directories. Data changes made in one directory are reflected in the other directories. For example, if managers revoke a person’s access privileges in one directory, that change, if necessary, is made in the other directories.

Virtual Directory
A virtual directory gives applications a standard as-is view of personal identity information from several databases and directories. Regardless of the origin of that information, it will appear to be in a single directory.

-- Brian Robinson

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above