Thursday, November 19, 2009

Not much has changed on the directory front - until now!

Dave Kearns over at Network World just published a story stating that "Not much has changed on the directory front". When I first read the headline I knew I wanted to agree - and blog my views on his comments. However, just as I was getting ready to write this a significant change event on the directory front happened. John Fontana - also of Network World - reported from the Microsoft PDC that "Microsoft touts groundbreaking 'clip-on' for Active Directory". So let's discuss Dave's story first:

"Not much has changed on the directory front"
As I said, I couldn't agree more. In 1996, if my memory is correct, Netscape released their LDAP-based directory server. It effectively killed the X.500 directory and also resulted in the ultimate demise of X.400 for messaging. Over the next few years we saw the launch of the meta-directory by Zoomit and then, in 2000, the launch of Active Directory by Microsoft. Aside from virtual directories gaining more momentum I would say that since Active Directory there have been no major advances on the directory front. Netscape started things off but Microsoft crossed the finish line and now has the most deployed LDAP-based directory in the world.

I agree with Dave that nothing much has really changed - until now...

"Microsoft touts groundbreaking 'clip-on' for Active Directory"
Kim Cameron at Microsoft discussed Next Generation Active Directory (NGAD) at the Professional Developers Conference this week. NGAD has been described as "a modular add-on that is built on a database and designed to add querying capabilities and performance never before possible in a directory". Hopefully, the term "clip-on" is not equivalent to "clippie"!
NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances. NGAD stores directory data in an SQL-based database and utilizes its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

"You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.
Of course, extrapolating features, functionality and benefits at this point is difficult but you can see how NGAD could change our views of auditing, compliance, security and (NGAD)directory-enabled programming including cloud-based identity and identity as a service. I'm also betting that NGAD will be a significant enabler of the externalization of a distributed authorization infrastructure just as Active Diretory has been an enabler of a distributed authentication infrastructure.

I believe NGAD has the potential to be a big change or even an inflection point for the industry and customers. I'm sure we'll be seeing much more discussion about NGAD.

Technorati Tags:
, , , ,


Dave Kearns said...

NFAD was announced, unfortunately, right after I filed that copy. But it will get a mention soon!

Dave Kearns said...

That's NGAD, of course!