Tuesday, July 15, 2008

James' unanswered questions...

James McGovern's has some unanswered questions on the debate around directories that I thought I'd at least try to answer...

If pretty much every Fortune 500 enterprise (acknowledging that Sun is the standout oddball) has Active Directory, why should any of them consider yet another product? Why shouldn't they simply wait for Microsoft to include virtualization support in Active Directory? Please no responses that are "tactical" in nature nor attacking Microsoft because they never get it right the first time.

I agree. Why should they? It's obvious - at least to me and I am pretty sure a lot of other folks out there - that identity management has evolved beyond directory synchronization and metadirectory to include the concept of virtual directories and all of what that means. Is there ever an ideal product? Sure, for a period in time. But times change. If Microsoft isn't thinking about how to solve this problem I would be surprised - oh, and let's not forget that a possible solution is to do nothing.

Are the current provisioning products somehow deficient when it comes to modern identity as they tend to focus solely on central sources of data while user-centric approaches require more in the way of self-provisioning?

Yes, absolutely.

When should virtual directory technology be a standalone product vs when should the capability be just another component in another product? For example, shouldn't an XACML Policy Engine or an Security Token Service just be able to read a variety of data sources without necessarily creating another layer/hop from a networking perspective?

Yes, absolutely. I think the industry will move away from a technology solution to a product solution over time. Given the "buzz" about this I am sure we will see this happen in the near-term. I certainly do not want to sell a virtual directory "product" but I do see how adding that capability to various Quest products would solve some very interesting business problems that our customers have.

The ideal situation says that a software company should be able to write an directory enabled application without requiring virtual directories but reality is a little different. Wouldn't the thought leaders in this space without resorting to tactical responses agree that instead of pushing products/tools in this space we have to help others understand the <> so that this problem goes away? Even products by companies with really smart individuals such as EMC still get this wrong. Does Oracle have any thoughts on helping people avoid virtual directory by writing better directory-enabled applications or is it better to bury one's head in the sand, ignore the problem of others and simply respond with point solutions.

James, you are right. Software companies need to do a better job when they write directory enabled applications but it is a long road. The average application developer still needs to do a better job managing identity, authentication and authorization.We still have a long way to go unfortunately.

CARML may be an answer, but how come no one other than Oracle even understands the problem? You will note that none of the industry analysts including Redmonk, Burton Group, Gartner or other firms have even published one sentence on the value proposition of CARML in an enterprise setting? Have you heard of Mike Jones, Curt Devlin, Pat Patterson or other folks from Microsoft, Sun, CA, IBM and so on talk about it?

What's CARML? Can someone explain it to me? Certainly, until Gartner says it's important I won't be thinking about it... ;)

Technorati Tags:
, , , , , , ,

1 comment:

Matt Pollicove said...


James McGovern was kind enough to reference your posting on my blog and I wrote up some comments, feel free to explore and let us know what you think.


Take care,