Our IDM product line is based on data synchronization technology. From time to time I come across requests for virtualization in identity management projects for various reasons. Some of them hold up, others don’t and fall after only a short investigation. Read on to learn about some of the misconceptions that exist out there regarding synchronization versus virtualization.I went out and did some research on what the general understanding of a virtual and a meta directory is. I found an article on Wikipedia very interesting, actually interesting enough to make changes to it. The article originally stated:
When compared against most metadirectory technologies, virtual directory implementations typically offer several advantages:
- a simpler administration model,
- better reaction times against changes as the data is read directly from the source,
- better adoption in the Corporate IT politics as the ownership of data is not changed,
- better match for environments where the bulk transfer of changes are inappropriate
When I read that I thought this is seriously wrong. I made the following changes:
When compared against metadirectory technologies, virtual directory implementations offer potential advantages and suffer from certain disadvatages:
- In certain political climates it may be preferrable to not synchronize data to a central identity vault. In all the other cases, however, synchronization offers unique advantages (some of which are listed under disadvantages below)
- Better match for environments where the bulk transfer of changes are inappropriate. An example might be transactional systems which hold information about a lot of transactions but only summaries or only the last couple of transactions should actually be retrieved through the directory service.
- Potentially better reaction times against changes in low load/request environments as the data is read directly from the source. This advantage may turn quickly into a huge disadvantage in heavy load/request scenarios when all the backend systems are put under heavy load.
- All data is always available as long as the central identity vault is available. In a virtual directory implementation, some of the delegated data source may not be available and requests may return no or only incomplete data.
- A central identity vault is usually easier made high-available and fault-tolerant than a conglomeration of separate data stores.
- In heavy load/request environments the identity vault absorbs all client requests thus protecting the backend systems from having to handle the whole load.
- Using close-to-realtime synchronization technologies offer comparable performance even in a load/request environment
Now what I really want to understand from anyone who has to share some insights is: Have you been using our products and have you come across situations where virtualization would have come in handy or even saved your project? Have you not used our products because they do synchronization and no virtualization of identity data?
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.