One person, one view

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The Way Forward: Essential Steps for Strategic Planning Success
Presented By Euna Solutions
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Sandia National Labs virtualizes its directories to get better control over identity management.

Who are you?

If your organization is typical, you could be listed several ways in its enterprise directories. You could be listed as Richard Smith, Dick Smith, RSmith or even dick.smith. And you probably have other identities ' some current and others obsolete ' floating around the enterprise where you work and access resources.

'There isn't any one authoritative source' for identity information, said Bill Claycomb, managing director of synchronization and account provisioning at Sandia National Laboratories.

This can slow the task of provisioning access to networks, applications and other enterprisewide resources in addition to complicating security by making it difficult to tell who has access, who doesn't, what accounts belong to whom and whether accounts have been terminated when a user leaves an organization or changes roles.

Ideally, there would be a single directory service to handle all requests for applications. But in the real world, political questions of resource ownership, difficult integration of products in a heterogeneous environment and histories of legacy development often mean applications have their own user information directories. So identities proliferate throughout the enterprise, sometimes in Microsoft Active Directory and other times in databases or other domains that do not work well with Lightweight Directory Access Protocol, the industry standard that defines protocols for accessing and updating directories.

Several years ago, Sandia began virtualizing its directories to help with account provisioning. The RadiantOne Virtual Directory from Radiant Logic brought user data from a variety of directories together into a common view.

'All of the info describes a single person,' one row per user from many sources, Claycomb said. 'It does for identity data what VMWare does for the server,' said Dieter Schuller, Radiant Logic's vice president of business development. 'It creates unified directories from multiple back-end sources.'

Like most of the Energy Department's national laboratories, Sandia, established in 1949, is involved in nuclear weapons research, doing work in nuclear stockpile security and energy and infrastructure assurance. The lab is managed for Energy's National Nuclear Security Administration by Sandia Corp., a Lockheed Martin company, and has an annual budget of about $2.5 billion. It has facilities in Livermore, Calif., and Kauai, Hawaii, but most of its 8,500 full-time staff members are at its main facilities in Albuquerque, N.M.

'It is easily manageable,' Claycomb said of the Sandia network, but managing accounts and identities was more complex than it needed to be. 'For as long as I know, we have had an automated process' for provisioning accounts.

A script was used, pulling data from a flat file in a custom database. 'That was not adequate because a lot of the information we needed was not in that database.'

One answer would be a consolidated directory, which Claycomb said Sandia is moving toward.

'Once that happens, it makes my job easier,' he said. 'It will reduce the number of sources that I have to touch.' But it will not provide all the information he needs because it will contain information only about people, not accounts.

A metadirectory, containing data from multiple directories, would also be useful. But creating one can be politically and technically tricky because it takes data out of the hands of the original owner and duplicates it, requiring constant updating to ensure accuracy.

A virtual directory, on the other hand, leaves the data where it is but presents unified and uniform views that can be accessed as needed.

'The data owners retain their control,' Schuller said. 'It is secured at the dataowner level, but it can be consolidated into different views so, in effect, what you have is an enterprisewide directory.'

RadiantOne uses proprietary algorithms to understand the different schemas in directories and databases, recognizing objects and their relations. It creates maps of the multiple back ends and establishes links to consolidate the data into a single, familiar view using Extensible Markup Language.

Government, financial services and telecommunications companies are the primary markets for virtual directories, Schuller said.

'Governments are large, fragmented and need to share information,' he said.

RadiantOne is a single piece of software running on a server that can provide multiple views. The number of servers required depends primarily on the throughput needed, which depends not so much on the number of entries in the directories as the number and frequency of people accessing them. Sandia is using a single RadiantOne server.

'We haven't stressed the system enough to need any server clustering,' Claycomb said.

Large or geographically dispersed organizations might need multiple servers, or an organization might want multiple servers for load balancing and failover.

RadiantOne can work with nearly any directory or database and works out of the box with the handful of products that make up 80 percent of commonly used directories, Schuller said. Some customization might be required for the remaining 20 percent of the installed base.

Some applications at Sandia that understand only LDAP require user information that is kept only in a SQL database, Claycomb said. With a virtual directory, the data can be presented to the application so it appears to be from an LDAP directory.

In addition to easing the job of provisioning accounts, a virtual directory can help protect sensitive personal information. As a research center, Sandia shares contact information with other DOE and non-DOE organizations, and exposing this data can raise security issues, Claycomb said.

Putting scrubbed data into an outside directory raises the problem of possible mistakes in copying and the need to keep it updated. But the virtual directory can be created to expose only data the owners deem appropriate.
Virtualizing directories can help administrators use multiple sources of identity data more effectively, but the virtual directory is only as good as the directories it relies on. And often, that is not very good.

'In most cases, the data is as dirty as a pig pen,' said Dieter Schuller, vice president of business development at Radiant Logic, which makes the RadiantOne Virtual Directory.

In addition to being accurate, identity data must be presented to the virtualizing engine in a way that lets it understand, for example, the relationship between Richard Smith and Dick Smith.

'The application is not difficult,' said Bill Claycomb, who uses RadiantOne as head of user account provisioning at Sandia National Laboratories. 'The tricky part is understanding how the data relate to each other.' The virtual directory can be made to look like any directory the user is familiar with, making it easy to use. 'But it was challenging to put the data together in the right way and to be sure that we were showing the data we wanted to show,' he said.

As with many other technologies, the virtual directory does not eliminate the need for work.

'There is no magic here,' Schuller said. Cleaning up the roles and identities in multiple data sources requires defining business rules to identify multiple presences in directories and establish correct links between multiple directories. And keeping the directories clean and up-to-date is not a one-time job but an ongoing process.

NEXT STORY: HSPD-12 gets a fair deal

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.