The good and bad about static vs. virtual directories

The foundation for security and enterprise management

Two weeks ago, I highlighted Bridgestream Vice President of Marketing Ed Zou talking about the need for business analysis to create the roles needed for role-based access control (RBAC). Then, last week, I added Ron Rymon, founder of Eurekify's thoughts on why role mining of your existing privilege infrastructure was important. Now you've seen both sides of the coin, which, as I mentioned last week, I'm willing to bet has more than two sides - many more.

Symlabs is in the virtual directory business and its Vice President Felix Gaehtgens was quick to point out to me that the technology of virtual directories could obviate - or at least lessen - the need for structuring roles. Not that the concept of roles is bad - any time we can group similar things together and treat them as a group or a class it's that much easier to accomplish a goal. But Gaehtgens likened the virtual directory (vis-à-vis a static datastore) to a relational database (vis-à-vis a flat file database).

Gaehtgens said: "Look at what views, triggers and stored procedure did to relational databases. Virtual directories do the same for directories, although it's been taking a while for many folks to appreciate that fact." I'm sure that's a sentiment that the folks at Radiant Logic, MaXware and Octetstring would also express.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Two weeks ago, I highlighted Bridgestream Vice President of Marketing Ed Zou talking about the need for business analysis to create the roles needed for role-based access control (RBAC). Then, last week, I added Ron Rymon, founder of Eurekify's thoughts on why role mining of your existing privilege infrastructure was important. Now you've seen both sides of the coin, which, as I mentioned last week, I'm willing to bet has more than two sides - many more.

Symlabs is in the virtual directory business and its Vice President Felix Gaehtgens was quick to point out to me that the technology of virtual directories could obviate - or at least lessen - the need for structuring roles. Not that the concept of roles is bad - any time we can group similar things together and treat them as a group or a class it's that much easier to accomplish a goal. But Gaehtgens likened the virtual directory (vis-à-vis a static datastore) to a relational database (vis-à-vis a flat file database).

Gaehtgens said: "Look at what views, triggers and stored procedure did to relational databases. Virtual directories do the same for directories, although it's been taking a while for many folks to appreciate that fact." I'm sure that's a sentiment that the folks at Radiant Logic, MaXware and Octetstring would also express.

Gaehtgens believes in the theory of roles, just not the current practice: "Whenever I hear people talking about RBAC, groups, roles, and how to use these tools to create a policy model for access in their organization, I sometimes think they are trying to fix a sophisticated piece of machinery with a hammer, instead of taking a screwdriver. Sure, you can do a lot of nice things with dynamic groups or roles. But then again, that really starts to creak as your directory grows." It is true that scalability is sometimes overlooked when we're planning an identity management project. What works in the lab, and on the testbed may not perform as well when it's rolled out to the enterprise.

There is a certain flexibility offered by a virtual directory that a static datastore cannot offer. On the other hand, there's a certain stability to a datastore constructed on a robust relational database. You need to establish your own priorities - but be sure to do that first. Then you can pick the tools that best meet your needs. Maybe it's a hammer, maybe it's a screwdriver - just be sure you know the difference.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.