A new take on crowd control

Can virtual directories help managers impose order on unruly directories?

Whether they must quickly deploy a new e-government  application or comply with a governmentwide order such as Homeland Security Presidential Directive 12 for secure identity cards, agency managers generally would prefer to have one convenient place to keep their employees’ personal identity information.The most common way to provide such a unified view has been to copy the identity data from various application databases and directories that store such information, integrate it in a central repository and then create mechanisms to make sure the data is synchronized with those original sources. However, those procedures are expensive, time-consuming to set up and prone to error. That’s why some agencies are giving virtual directories a closer look. A virtual directory offers an aggregated view of personal identity data from multiple sources without someone having to go through procedures to physically collect and synchronize the data. Sold as a single product from vendors such as Radiant Logic and Symlabs, or as a component of a larger identity management suite, a virtual directory uses middleware to automatically access the data in separate sources and present a unified view of it through a single interface based on user preferences. Some critics point out that because virtual directories introduce a layer of software between the user and the data, they can exact performance penalties. However, managers who have embraced virtual directories say the applications that depend on them can be deployed quickly at a relatively low cost.Because virtual directories don’t require physical duplication and manipulation of data, they sidestep the problems of data ownership that have plagued many metadirectory projects. Organizations can allow others to gain access to their data according to policies they set. They never have to give up possession of their data.The Defense Information Systems Agency faced challenges of data ownership, security and privacy when DISA created its Anti-Drug Network. ADnet supports secure collaboration and data exchanges among many organizations responsible for drug interdiction. ADnet program officials wanted to give authorized users access to personal contact and profile information that other organizations managed. But they also wanted to avoid having to copy and synchronize that data in a centralized directory, according to officials at Booz Allen Hamilton, an integrator on the project. ADnet’s Virtual Directory Server software from Radiant Logic collects and presents identity data in a read-only format, a solution that allows directory owners to enforce their own policies for data access and data integrity.Officials at the Energy Department’s Sandia National Laboratories said they have similar reasons for wanting virtual directories. Sandia also uses Radiant Logic’s software.“We’ve used them to fulfill specific customer requests where they’ve needed access to data but were limited by the applications they had,” said Bill Claycombe, a software analyst at Sandia. “The only place that data could be found was in databases they couldn’t get to.” Officials at Sandia created a virtual directory where authorized users could get information they needed. They also began using virtual directories to provide selected contact information about Sandia employees to outside organizations, such as other national laboratories.“We don’t want to provide them with the actual data” for privacy reasons, Claycombe said. “A virtual directory allows them to have the [contact] information they need without having to give the data out.”Another benefit of virtual directories is that organizations with mature business processes can use those directories for building new applications without duplicating a lot of work, said Dieter Schuller, vice president of sales and business development at Radiant. “A virtual directory allows them to leverage their existing assets and to take what’s there and work with that,” Schuller said. “It provides the data in a way that their current applications want it to look. Because of that, the implementation time for any new project is substantially reduced.” That type of flexibility is becoming increasingly important as agencies are feeling pressure to provide broader communities of interest (COIs) with access to applications, said Peter Doolan, vice president of sales consulting at Oracle Public Sector. That company offers a product called Oracle Virtual Directory. Agencies are often interested in collaborating with other government and industry partners through technologies such as Web portals. Many would like to provide COIs access to data on demand, Doolan said.In other scenarios, agencies that manage emergency situations would like to quickly establish identity infrastructures for large COIs, and then just as quickly tear them down. Those are not easy tasks with the directory technologies that agencies have used in the past, Doolan said.A widely used technical standard known as Lightweight Directory Access Protocol was created in a context of well-defined and accountable infrastructures, Doolan said. “We are in a new world that is much more ad hoc,” Doolan said. “It’s not tenable now to go through the kind of lengthy processes we used in the past,” he added. Of course, not everyone sees a value in virtual directories. Their value depends on what others mean by virtualization, said Ivan Hurtt, product marketing manager at Novell. True virtualization means that no data is stored locally. True virtualization can create performance problems, he said, because virtual directory software must continually access remote sources of data to keep the directory up-to-date.“In order to get any level of performance [for a virtual directory], you need to cache at least some of the data locally, and once you do that, you are past the point of true virtualization,” Hurtt said. At that point, you also need other software tools, such as data verification tools, he added.Virtual directories are useful, but in a limited role, said Earl Perkins, research vice president at Gartner’s security and privacy team and a former director of security and identity market research at Microsoft. Virtual directories are effective when used with other tools that provide certain levels of authentication and management, he said.“Government agencies that buy virtual directories would also have to supplement them with other things to harden them,” Perkins said, which is why virtual directories should, in most cases, not be viewed as applications that stand on their own. Typically their role is to extend the functionality of existing metadirectories, he said.The problem with  current virtual directory solutions is that they do not go far enough, said Deepak Taneja, founder, president and chief executive officer of Aveksa, an identity management and security compliance company. “Virtual directories are designed to collect identities, but you can’t virtualize entitlements,” Taneja said. “They can provide the who, but not the who-has-access-to-what part. For that, you need a broader solution.”In their current form, virtual directories can be applied to small problems, Taneja said. The next generation must be able to do more than identify people and resources. They must be able to enforce rules for what people are approved to do based on the roles they have in their organizations. “That’s where the [identity and access management] industry is going,” Taneja said.

















































Two choices for one viewThere are two ways to create a unified view of employee identity information stored in multiple online directories or databases: metadirectories or virtual directories. Here are the differences.

Metadirectory
A metadirectory is a centralized directory of personal identity information that synchronizes information from several databases and directories. Data changes made in one directory are reflected in the other directories. For example, if managers revoke a person’s access privileges in one directory, that change, if necessary, is made in the other directories.

Virtual Directory
A virtual directory gives applications a standard as-is view of personal identity information from several databases and directories. Regardless of the origin of that information, it will appear to be in a single directory.

-- Brian Robinson
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.