Jeff Anderson – Fifth Third Bank
Came into session a bit late…
Challenges:
- Regulatory issues, Sarbox, etc.
- Financial services specific issues, Patriot act, financial mondernization act
- Identy silos are more than just enterprise directory and AD. Silos for me are every place that provides identity services (databases, applications etc.). This also includes third party services
Solution overview:
- IDM stack that we deployed: at top are the applications themselves, perhaps they are silos themselves but they need to access others. Below that is the application access layer (SOA, directory connectors, etc.). Below that is the enterprise directory (LDAP) and the virtual directory. Below that is the provisioning system
- Enterprise directory is Sun, Virtual directory is radiant
- Directory hardware, use Sun hardware on E25Ks. Since it is virtual, we don’t need to specify that this is the only source.
- Each of the three tier 1 data centers has an instance of this sun hardware.
- Virtual directory services sit on the same hardware as the LDAP store.
- Virtual directory overview: At top is virtual directory engine (core). Below that you have RDBS connectors to applications directories and databases.
- What it means to us: Virtual directory allows us to abstract the data. This allows the applications to ask one place for data without needing to understand the back end. 4 use cases:
- Directory Joins – virtual directories can join two objects into one logical system
- Protocol masking / external joins – two examples to discuss later. This has more to do with what happens when the back end system isn’t a directory but we want to use it like a directory.
- Schema transformation – legacy systems have naming inconsistencies. Virt directory allows us to make them consistent
- External data masking – when dealing with security controls we can access systems without fine grained access control by allowing the virtual directory to enforce what you are able to see.
Synchronization vs. Virtualization
- Synchronize when source of authority was unstable, unresponsive, etc.
- Virtualization for everything else.
It doesn’t matter when you move or access the data. What matters in virtualization is that you choose a product that lets you switch between the two when you need to. What happens when the back end directory changes? These are important questions to ask your vendor.
What did we do at the bank?
Identity management programs were selected to be early users of the virtual system: B2B single sign-on was the first.
Big diagram of transaction, download slides to see in detail.
Cleartrust was deployed prior to identity management effort and as the first customer of the identity service.
Why not just move the data??? Why deploy virtual directory?
Three reasons:
- Time – lots have to change to move an identity store
- Cost – startup costs are high
- Regulatory Controls – If you are leaving the data in the system you have now, it has already gone through the controls. If you move the data, you have renewed requirements for audit. If you pass audit now, leave the data where it is and save yourself cost.
When you deploy a directory you’ll define the view, this is the data store, this is how you access it, the access rules, etc. Four things happen: bind request comes from SSO. Searches the entitlements to see if it is a valid user. Search for requested user. Binds as user checking the credentials.
Cleartrust for cross-silo authentication is made easier by virtual directory. I.e. using websphere for J2EE apps, need to secure the app. The app is secured through cleartrust. Challenge is when the employees don’t exist in the external directory store. Websphere doesn’t let you split what you do for console logins vs. anything else.
Lessons learned:
- Virtualization of the identity to leave it where the data resides is a powerful tool that avoids regulatory issues. Any approved data source can be used for SSO, for example.
- Remove application sequencing dependencies: since you don’t need to move identity stores, that is different than application work. No mid silo applications with a need to do things at the same time. The time different apps operate can be decoupled.
- Real-time access instead of synchronization is possible with low overhead. No large hit in access times.
Technorati Tags: Digital ID World, identity