vscheuber's blog

Our IDM product line is based on data synchronization technology. From time to time I come across requests for virtualization in identity management projects for various reasons. Some of them hold up, others don't and fall after only a short investigation. Read on to learn about some of the misconceptions that exist out there regarding synchronization versus virtualization.I went out and did some research on what the general understanding of a virtual and a meta directory is. I found an article on Wikipedia very interesting, actually interesting enough to make changes to it. The article originally stated:

When compared against most metadirectory technologies, virtual directory implementations typically offer several advantages:

• a simpler administration model,

• better reaction times against changes as the data is read directly from the source,

• better adoption in the Corporate IT politics as the ownership of data is not changed,

• better match for environments where the bulk transfer of changes are inappropriate

When I read that I thought this is seriously wrong. I made the following changes:

When compared against metadirectory technologies, virtual directory implementations offer potential advantages and suffer from certain disadvatages:

potential advantages:

• In certain political climates it may be preferrable to not synchronize data to a central identity vault. In all the other cases, however, synchronization offers unique advantages (some of which are listed under disadvantages below)

• Better match for environments where the bulk transfer of changes are inappropriate. An example might be transactional systems which hold information about a lot of transactions but only summaries or only the last couple of transactions should actually be retrieved through the directory service.

• Potentially better reaction times against changes in low load/request environments as the data is read directly from the source. This advantage may turn quickly into a huge disadvantage in heavy load/request scenarios when all the backend systems are put under heavy load.

disadvantages:

• All data is always available as long as the central identity vault is available. In a virtual directory implementation, some of the delegated data source may not be available and requests may return no or only incomplete data.

• A central identity vault is usually easier made high-available and fault-tolerant than a conglomeration of separate data stores.

• In heavy load/request environments the identity vault absorbs all client requests thus protecting the backend systems from having to handle the whole load.

• Using close-to-realtime synchronization technologies offer comparable performance even in a load/request environment

Now what I really want to understand from anyone who has to share some insights is: Have you been using our products and have you come across situations where virtualization would have come in handy or even saved your project? Have you not used our products because they do synchronization and no virtualization of identity data?

As we extend designer's offline capabilities, people will be storing more and more sensitive data in their designer projects. Many consultants are taking their customer's data - stored in designer projects - out of the protected networks and buildings. Business logic, processes, passwords, IP addresses, administrator phone numbers, email addresses and more. how is designer going to protect your and your customer's data?We are investigating for our Designer 2.1 release how we can better protect sensitive information in Designer projects. Sensitive information is not only passwords but also business logic and address and contact information that you may have stored in Designer. So far on our list of data that needs enhanced protection are:

• Passwords
• IP addresses
• Contact information
• Password protect a complete project

In your mind, what other information do we need to (better) protect in order to serve you best?

i remember, in my high school days, once spending most of my money that i earned during a school break period on a new 20MB hard disk for my PS2 computer. since then the world has dramatically changed as far as storage capacity is concerned. but still i keep asking my self: does size really not matter anymore? our current designer build is >400MB in size! please help me understand how this affects your usage of designer.i would like to know whether:

- you don't care because you have a broadband internet access and assume the rest of the world has it, too

- you think it's pretty big but you still download it whenever you need it, even once a day if necessary

- you don't download as often as you used to when it was less than 200mb in size

we want the designer community to keep downloading the latest nightly and milestone builds so that we get the necessary feedback to improve our product. if the size keeps you from following us from milestone to milestone, this is a serious problem for our development model which relies on you downloading our latest builds.

please provide us honest feedback and, if you want, ideas how to improve.

why should it be important to an enterprise it department to have full control and certainty over the state of identity and access related data in the company? what kind of data analysis do you need to gain control and certainty over the state of your company's data? is this all a big hype to warm up the market or are we facing a real problem here? what - by the way - is "compliance"?i think i stated earlier in this blog that i spend my first five years at novell in consulting and delivered tens of identity management projects. one thing that always amazed me was how quickly user experience was put over security. i guess everybody has realized by now that security has its price and it usually does not only come in the national currency for software licenses and service fees but also in the form of opportunity costs from more complicated user interfaces, processes and hardware.

i also found that larger corporations were more security sensitive than smaller corporations and the same is for richer versus less rich corporations. i got the impression that security is a luxury good that not all companies could or wanted to afford. an article in the costco connection made it very clear where this can lead to: universities very often don't have the same budget as larger corporations and therefore have become a - or i should say THE - preferred target for hackers around the globe. identity theft starts with any kind of identity information being stolen. it's not just your records at your bank that have to be protected. hackers get what they need from numerous sources.

ok, that was a lot of blabla you heard a hundred times already. if you heard it already for a hundred times, i would like to pick your brain and learn from you what actions you have taken to secure your data and you monitor that your actions are effective. i leave it up to you to hope it was only a hype or to believe it is a trend.

usually people associate the word compliance with government regulations like Sarbanes Oxley, HIPAA or 508. but compliance starts long before that. compliance starts where you want it to start. you define rules and strategies how your data should look like to serve its purpose (security related or other). monitoring your data and detecting rule violations is what allows you to find out whether your data is in compliance with your own regulations. if your data and processes can't follow your own rules, how can it be expected to follow the rules of a complex regulation?

last year at brainshare we showed you a new tool to gain control over your data. six months later, the develpment team releases milestone 0 of a new product called enforcer for novell identity manager. read more about enforcer 1.0m0. m0 is only the first step in enforcers developmen cycle. help us identify whether we are on track and give us your feedback.

howdy! the designer crew has been quite busy getting ready for m4. here is what you can expect to see next week:the 2.0m4 release is focused on quality. changes and improvements have been made in the following areas:

• application framework
• access user application from modeler tools menu
• there is now a new preference page to gather imanager url information
• Lots of fixes to documentation with content, broken links, etc.
• Included driver config for Legacy Workflow
• Fixed issues with installing Designer on servers that have eDirectory 8.8
• bug fixes
• configuration management
• we have added two additional fields on the general driver properties page: configuration file and supported dn format
• the html editor inside email template editor now offers a context menu that allows you to quickly edit and format the content
• bug fixes
• document generator (docgen)
• the xml editor inside document generator style editor now provides code validation, code completion and context menu actions
• work has been done to make the rtf document more readble. this includes a cleaned-up table of contents, better table formatting, and fixed indentation problems
• when generating documentation on a identity vault, driver, driverset or application, the default name for the document will be the name of the item you have selected
• bug fixes
• enterprise modeler
• the following drivers and driver configs have been added:
• LinuxUnix - this is the default for AIX, Debian, FreeBSD, HP-UX, Linux, RedHat, Solaris, and SUSE.
• i5OS - this replaces IBM's OS400 driver and driver config.
• all the applications under the operating system folder will default to using remote loader when you drop them in the modeler without running the driver config wizard. this just gives a better default configuration.
• bug fixes
• Enterprise Modeler Outline View
• bug fixes
• import/deploy
• bug fixes
• policy view and simulation
• bug fixes
• policy builder
• bug fixes
• project view
• you can now open the files under the resources folder using various supported editors. right-click on the file and choose the "open with" sub-menu to see which editors are supported
• bug fixes
• provisioning view
• bug fixes
• provisioning request definition (=workflow) editor
• a new general purpose mapping activity can now be added into the workflow. this mapping activity is used to transform data in between activities to make the flow more maintainable instead of having all data transformation within other activities
• users can create loops for more complex workflows
• we now include a zoom control to manage size of the objects on the canvas as well as a scale control to manage placement
• we now show icons on links to more easily grasp the details of a workflow
• bug fixes
• direcory abstraction layer
• bug fixes
• xml editor
• the xml editor is now built on the Eclipse Web Standard Tools (WST) project architecture. as a result, the ui has changed significantly and several additional and/or improved features are available.
  In general, this change allows us to provide a more feature rich and better tested xml editor since we can leverage the work of the WST project and don't have to re-implement everything ourselves.
• the source editor supports the following features:
• syntax highlighting
• context-sensitive code-completion based on DTD and/or xml schema. The code completion is based on the existing content of the xml document if no DTD or xml schema is associated with the xml document. For example, when code completion is activated and the XML document contains once you type the second , the editor suggests that you add b as a child of the a element
• as-you-type validation. If the xml is invalid (for example, the > is removed from a tag), the editor indicates the error
• code folding
• formatting of entire document or selected elements
• general text editing operations such as undo, redo, cut, copy, paste, select all
• the tree editor supports direct editing of attribute values, comments, text nodes, CDATA, etc. as well as insertion and deletion using the right mouse menu.
• the new xml wizard allow you to create either an empty xml file or a file containing skeleton data based on a DTD or xml schema
• several new preference pages are available for the XML editor

a complete list of changes can be retrieved from subversion.

i'm all excited about two new features that we have started r&d on for designer 2.0.

two weeks ago we started active r&d on snapshotting and staging. both are enterprise-class features that will greatly help everyone working with novell identity manager.

snapshotting will allow the user to take snapshots from a designer project either locally or, if she/he works in a project team, on a snapshot server. this will provide two main benefits: it will team-enable designer and will provide sophisticated backup and restore capabilities. i know that many users have begged for this and now i can say: we're working on it.

staging will support the user or a whole project team to take a solution from one stage to the next. all projects operate at least on two stages: test environment and production. some even take a three stage approach and devide development and test into two environments. the challenge has always been how to manage to get a finished and tested solution from the development and/or test servers into production without forgetting a switch here and a flag there and how to do it fast and efficient. staging will address this issue.

if you feel strongly about any of these two features, get a discussion going!

i almost forget to mention: we posted TID3351724 which contains the official list of fixes that were rolled into idm 3.0.1.