Identity management is the bane of IT administrators' existence if they're presiding over heterogeneous Windows and Linux environments. The hang up arrives when they attempt to synch Linux boxes with Active Directory, or try to manage those servers from a central point.
Sun Microsystems' Linux and ID management guru Terry Sigle will speak later this week at the LinuxWorld Open Solutions Summit on the topic of identity management in Linux environments, but first he spoke with SearchOpenSource.com in this exclusive interview.
Why is ID management such a hot topic now, especially with Linux?
Sigle: The adoption of Linux in the data center over the past five years has gotten to the point where users have the applications in place but are having issues bringing the ID's of all those users together at one point. This is the case when you are talking about provisioning or access management. In the telecom space, where I worked before Sun, the huge push is with people consolidating users across all business levels and product sets across all operating systems. That means Linux, Solaris or Windows. Why ID management is especially important with Linux is because Linux has had the highest adoption rate of them all in the enterprise.
Where are the pain points for Linux and ID management today?
Sigle: ID management as a whole is a pain point for IT administrators. More specifically, the big pain point is provisioning identity across applications. I think one of the biggest issues with the enterprise is the software compliance issue. Companies need to provide audits, and prove that Employee A in accounts/payable has an SAP account as well as access to a Unix account. Right there that's two completely different systems, but the ID is tied to both of them. On top of that, you need to be able to say whether that SAP platform is running on Unix or Linux or Windows, and whether or not that account is tied together with other ID's using Active Directory.
In a recent SearchOpenSource.com article on synching Linux servers with AD, users told us that using Sun NIS was a "big no-no" in terms of Sarbanes-Oxley compliance. What have you heard on this?
Sigle: Many of those users are today moving from [Network Information Service] to LDAP. This is because with LDAP you get native security built into it, like SSL. With a customer I visited just last week, a large telecom, they had 20 different NIS domains, and they were planning on consolidating those into one infrastructure. They were putting those all into LDAP, centralized LDAP. Their domains will all still have multiple domain names but will instead be centralized into an LDAP tree.
Preview what you're going to be doing at LinuxWorld and why IT managers might want to attend.
Sigle: Basically it will be [about] identity management and access management options in the open source space conducted in a panel format with Gianluca Brigandi, Founder and System Architect of the JOSSO Project, and Anthony Nadalin from IBM. We will cover enterprise-to-customer relationships, business-to-business relationships, and so on in the ID space. Eventually, the conversation will end with a slide that I call the alphabet soup. It will list all the current identity standards like OpenSSO, JOSSO, OpenID -- all the buzzwords.
Could you provide a little perspective on some of these standards, like Sun's OpenSSO for example?
Sigle: Sun has been an industry lead with Directory Server, all the way back from the Netscape days. Many enterprises and many telecoms in the market run Directory Server for their customers, and many large telecoms run millions of identities in Directory Server. About a year ago, Sun architected a new Directory Server with all those aforementioned standards in mind. Sun then donated the code to the open source community. At some point in time, the plan is for Sun to take a snapshot of the open code, wrap support around it, and that will most likely be the next version of a directory server we support as company. That's one to two years away however. For now with OpenSSO, we took [Directory Server] and its access management capabilities and basically released all the source code. Going forward it will be the same scenario as Directory Server: we'll release a commercial snapshot of OpenSSO in the future.
Has there been any user confusion regarding the number of standards?
Sigle: In the past I worked with telecom customers and I heard that complaint all the time. Customers wanted to know how all these standards were going to talk to one another. Even if we delve into one of the collaborative efforts like the Liberty Alliance [which is comprised of Sun Java System Access Manager, OpenSSO, Lasso (Liberty single sign on) and HP Select Federation], there are different phases and specs. There's a bunch of stuff in there, and a lot of these standards drive toward the same goal. Recently we have started to get clarity with standards like the Security Assertion Markup Language from the OASIS, which has risen to the top. But customers are still asking when to use one over the other. When you are talking standards, there is no real company that is trying to appease all the standards at once.