Identity Silos
The explosion of directories on the market now requires a different directory strategy. The existing solution, based on meta-directories, has failed to address this issue since it requires data migration and introduces ownership issues. Meta directory is an idea that evolved in the late 1980s form synchronizing the address book-style directories of workgroup electronic mail systems. A Meta directory provides a consolidated view of user identity by adding a layer of infrastructure that sits above native repositories, drawing user data from them and storing it in a new consolidated directory that faces an enterprise application. While this tight coupling is a good choice for situations in which data is not updated frequently, it is often insufficient to use with more agile applications such as portals and CRM systems, because synchronization delays could cause users to work with data that was minutes or even hours out of date.
New Approach
To best address current and emerging identity management requirements, a modern and enterprise-class identity integration service requires a balance of synchronization, replication and dynamic access features. Penrose technology provides those features. It is fairly new approach for centralizing and reducing the amount of directories needed without the problems of physical data migration. Instead of creating new identity repositories, Penrose handles identity queries on a case-by-case basis, drawing the required, authorized data (and only the required data) in real time from its native repositories around a network and presenting it to an enterprise application as needed. When the query is complete Penrose disappears; once again, the data exists only in its native repositories, under the control of the original owner. Instead of building complex integrations to synchronise data between these systems, Penrose provides a lightweight and direct method of exposing multipledata sources using LDAP.
Scenarios
The following scenarios are some of the most popular applications of Penrose:
- Authentication: In many organizations, Active Directory server is central store of user attribute information, including password. Penrose can pass through credentials to Active Directory for password authentication. Penrose can do so without storing AD passwords in two locations. (Screencast)
- Directory Integration: In general, the closer information to its source, the more accurate and timely the info is likely to be, for at least 3 reasons:
1. the source of the information, by definition, the most accurate.
2. Extra delay and opportunity for error between the source and directory are eliminated
3. Depending on the info and the application, the source is likely to be the party most motivated to maintain the information correctly.
Based on this assumption, Penrose can integrate multiple directories spread out from a single department, multi-departments or even from other organizations, leaving the task of updating their directories to the respective owners. - Directory Firewall/Proxy/Auditing: Penrose can record user activities against the targeted directory/database. This could help businesses comply with the audit requirements regulations, such as HIPAA (Health Insurance Portability and Accountability Act), the Graham-Leach-Bliley Act and the Sarbanes-Oxley Act.
- Identity Federation: by leveraging Penrose Virtual directory platform combined with federation server, such as PingFederate, companies can expect to reduce implementation costs for their federated identity efforts. By making these numerous identity stores appear as a single virtual interface PingFederate can seamlessly make these attributes available to federation partners.
- Speed-up Policy Server Deployment: When deploying a policy server, such as CA Siteminder, it requires a directory server to store all of user profiles. If all of your user profiles are stored in RDBMS, such as Oracle, you can use Penrose to dynamically repurpose the data from RDBMS and to make make the data available to the policy server, without creating another user profile container.