Ok, I didn't think I had anything to add here, but this statement really bothered me:
Customers could start with E-SSO and then over time add user provisioning, web SSO, federated SSO, and other components of the identity management suites.
I think this statement is indicative of what is wrong with most large enterprises - they try to solve what is ultimately a symptom of a much larger problem without getting to the root of the problem first. I've been in several large enterprises (100k users and above) where this is painfully evident.
Let's get one thing straight - the need for Enterprise SSO is an indicator that your application authentication strategy is either not well thought out or has grown overly complex via accretion (either by adding new companies or applications over time); in many cases both situations are true. These are the same companies that, rather than pick Novell, Sun or Microsoft as a single enterprise application directory, went out and implemented one or more meta-directories and have at least one Web SSO vendor in house just to tie their web applications together. Of course this leaves a host of other non-integrated applications like proxy, legacy fat clients with proprietary identity stores, multitudes of SQL databases with local identity stores, mainframe applications, and a compliment of vendor provided applications. Combine that with the multiple AD forests, legacy NT4 domains (full trust model of course), multiple Novell e-Directory trees, one or more LDAP meta-directories (take your pick), countless *nix etc\password files, and at least one NIS/NIS+ domain and you have your typical large Enterprise mess. (yes more than one company comes to mind of which they shall remain nameless) Given all that, the solution is Enterprise SSO?
Sure, let's continue to throw good money after bad infrastructure! In my opinion, and that of my company, E-SSO is the last thing you should consider! Don't get me wrong, it has its place for sure, but only after you've exhausted all other opportunities to simplify.
A few years at back at DEC I watched a Gartner presentation where the presenter openly criticized the goal of a homogeneous environment. Let's be completely honest here - the much lauded heterogeneous environment (how many of you still have this on their resumes?) is to blame for this mess. I tend to view this on opposite ends of a spectrum. On one end you have the ideal that the absolute best of breed tool should be chosen to solve every task without consideration for integration or interoperability, and on the opposite end of the spectrum is blind devotion to a single vendor in the hope that all solutions will be integrated and interoperable. Both extremes are faulty - but I see no reason reach towards one or the other while maintaining some degree of sanity. Personally I tend to lean towards more homogeneous solutions, or at least ones that are tightly integrated and interoperable (big surprise right?). This is why I think that Federation and Claims are two of the most important emerging technologies within IT as it allows you to have your cake and eat it to.
Until we have reached the completely interoperable infrastructure (see Stuart Kwan's DEC 2008 keynote on transformers if you can get your hands on it), which isn't likely to hit within the next 3 to 5 years, we have to aim towards one ideal or the other and continue to integrate Federation and Claims as they become available. I'm in favor of the K.I.S.S principal here and this is why Ensynch aligns around the following key IDA project initiatives:
- Simplify & Consolidate - begin with the goal of reducing the number of authenticators in your environment. Aim for a single homogeneous enterprise directory knowing you probably won't get there but you have to try! The applications that are too expensive to move to this central directory you leave to the next step.
- Synchronize & Normalize -use a good IdM tool to synchronize identity information between the remaining stores. This gets you one step closer to SSO, normalizes identity, and you benefit from password synchronization.
- Federate & SSO -last but not least, follow up with a serious look at Federating the really tough identity stores, either internally, externally or both. For the ultra-stubborn applications that refuse to integrate into any mainstream directory you apply an E-SSO approach to but by this time you will have weeded out many of these applications. Once you're at this stage you can get a much better handle on how much you are investing in infrastructure to maintain these legacy applications which, hopefully, gives you further leverage to scrap/rebuild them or pressure the vendors to join the 21st century.
Don't get drawn into protracted and complex E-SSO initiatives without asking the hard questions and simplifying your environment first; you will be glad that you did.
0 comments:
Post a Comment