onsdag 29 januari 2014

Tackling some traditional IdM use-cases with OpenIDM

Although OpenIDM is built for consumer facing identity management as part of the ForgeRock Identity Relationship Management Stack, it provides a number of typical capabilities that traditional enterprises can use to tackle some of their problems. Since many of our customers are investigating options to their Sun Identity Manager environment, I thought it would be helpful to describe the use-cases with this in mind.

Lets look at four typical use-cases, a Sun Identity Manager customer might have deployed and discuss how OpenIDM matches up.

1.) Orphan account detection
Sun IdM provides a reconciliation engine allowing customers with XPRESS rules to define correlations between target resource accounts and the virtual identity in Sun IdM. The reconciliations runs per resource, compares and produces situations on whether accounts are matched, unmatched, not known etc.

OpenIDM offers a similar reconciliation engine allowing these correlation rules to be migrated from XPRESS to JavaScripts. The reconciliation results are similar to what Sun IdM offers and also exposes the capability of invoking custom reactions to a discovered situation such as running a script or invoking a BPMN 2.0 workflow. The reconciliation similar to Sun IdM also provides the necessary information needed to produce reports such as orphan accounts reports.

A key differentiator from traditional IdM vendors, is that OpenIDM is made for the consumer facing world where scale and performance is critical.

2.) Authoritative Source driven provisioning
Sun IdM provides the mechanism of ActiveSync, where certain connectors or resource adapters are extended with the capability of reacting to near real-time (via scheduled polling).

The ActiveSync process then discovers CREATE, UPDATE or DELETE situations on resource accounts and three different workflows parses a set of forms (typically referred to as ActiveSync forms) to manage the attribute transformations and identity data flow.

OpenIDM offers a similar capability and also leverages the same set of connectors as Sun IdM. In the world of OpenIDM this capability is referred to as LiveSync. The LiveSync process is typically a scheduled process running as a background process and instead of UserForms and XPRESS to define the transformations, these are specified in mappings describing the flow from one system to another. The LiveSync life-cycle offers a number of hooks that allows you to specify actions such as running custom scripts or invoking workflow offering the same flexibility and capabilities as Sun IdM.

3.) Password Management
A typical quick-win and low hanging fruit with Sun IdM was that once resource adapters or connectors were configured, the password management aspect came with the setup. Sun IdM allows you to specify governing password policy according to company requirements and enforce them during password resets. Sun IdM also allowed to intercept passwords on Active Directory by deploying a special plugin on the AD domain controllers. Self Service capabilities to reset passwords was by default managed using challenge/response questions that could either be specified by administrator or self-defined, or a combination of the two.

OpenIDM provides equal functionality to manage passwords, specify policies using flexible regular expressions in JavaScript rules, to reset and change passwords accordingly and to leverage challenge questions to do self-service resets. OpenIDM also provides a plugin for AD to intercept passwords and allow them to be synchronized as well as a plugin for OpenDJ to expose the same capability there.

4.) Self Service requests
Sun IdM allows you to quickly and easily expose custom workflows that can interact with the virtual identity and the underlying integrated resources to do attribute updates or to provision new accounts etc. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, leverage the industry standard BPMN 2.0 to specify workflows.

So despite OpenIDM really is targeting a different market segment with its consumer facing approach which includes focus on scalability, some of the typical and traditional use-cases often found within Enterprises can be addressed. OpenIDM also provides the ideal platform to extend your Enterprise to the Cloud, where user provisioning and administration with ease can bridge that gap. Further more does OpenIDM also give you the opportunity to expose Identity Management services via the common RESTful API that exposes all capabilities in the product.

fredag 24 januari 2014

How Open Source Software can impact your Business

The holidays are over and, no matter what Santa brought us for Christmas, it’s time again to shift focus, back to the world of Digital Identity. ForgeRock is a unique player in the Identity and Access Management space, given our Open Source nature and our ability to deliver a comprehensive software stack to solve IAM related business problems.

As we all know by now, open source software has a number of great advantages over proprietary software and I thought I would revisit some of these in this post.

While no software can claim perfection, many recent studies provide a clear indication that if the source code is open for more people to inspect, vulnerabilities and bugs are more likely to be discovered and fixed.

Proprietary software vendors force their customers to accept whatever security their software has, and the pace at which patches and updates are released. In an open source software model, customers have the option of fixing problems themselves or narrowing down the problem and raising the issue to the community for a fix. With closed source software, as a customer, you simply have no idea what surprises the code might have for you.

While working in the field, deploying Identity Management solutions at customers, I often cursed  the fact that I never had access to the source code - so I could never make minor tweaks, such as adding or altering the behavior of an integration to a target resource.

One of the true advantages of open source software is that business users can pick up any piece of software, modify it to fit their needs and be done with it. Doing that with proprietary software is infinitely more difficult. Often, tricks such as decompiling with JAD must be used, which might be a violation of the license agreement but are sometime necessary just to get the job done.  

Despite the saying “Too many cooks spoil the broth”, there is research indicating that open source software (up to 1,000,000 lines of code) has a higher level of quality, largely due to the transparency and openness of the source code. More qualified developers can scrutinize the code and bug fixes are addressed quicker in a distributed collaboration. In this context, I can mention that ForgeRock OpenIDM has 247,163 lines of code, as of this writing.

Selecting open source software is often a conscious decision for a business to liberate itself from the effects of a traditional proprietary vendor’s “lock-in” strategy. Open source software provides its users greater control, better interoperability and access to a, hopefully, thriving community of skilled developers who are well versed in the solution’s source code.

Another important aspect is the ability to take a project forward independently. Consider what happened when Sun Microsystems was acquired by Oracle, who already had an extensive Identity and Access Management stack with significant investments. Oracle made the decision to render many of the open source projects “non-strategic” going forward, essentially allowing the projects to die, but providing others with the freedom to pick these projects up and continue. In this way, open source provides some kind of insurance regarding the longevity of a project.

Flexibility and Interoperability
The ability to make changes to the source code, and the fact that many open source projects are less resource-intensive and do not follow traditional proprietary vendor upgrade schemes, allows you to be more flexible and agile. Many open source projects also take great pride in following standards, which enables greater interoperability with other components. In the time of cloud computing, interoperability has become a critical must have.

It is easy to advocate the benefits of open source software but to all good things there is a flip side and some principal risks. Open source software is often easy to adopt, with a “try before buy” philosophy. This practice can lead to unmanaged software assets, which can introduce technical and potentially legal challenges (such as intellectual property management, audit compliance and security). The community is critical to realising the benefits of open source software. Other questions you need to ask are pertain to the type of open source software license that is used? Is it a viral GPL or a more business-friendly CDDL?

The barrier to entry to any open source software is low and it is important to recognize that this low barrier, combined with the challenges outlined above, can result in high risk at a high cost. The way to mitigate this risk is, of course, to ensure that there is proper insurance in the form of a vendor backing the software. If you decide, for example, to “build it yourself”, assign a set of engineers and maintain the software yourself, be aware that the cost of maintenance increases over time. Even if the initial entry cost is low in terms of staffing, this cost will increase and there is always the risk of competent skills fleeing the company.

The potential risks aside, when open source software is managed properly, the results are cost optimization, flexibility and innovation, which should be on the mind of all CIOs.