Virtual Identity Dialogue

Not directly tied to directory services, but we work quite closely with
the Oracle Access Manager team (9 out of every 10 OAM deployments now
has OVD). And today we released an OAM whitepaper on OAM performance that I'm linking here to help it get wider distribution.

Last week Volker Scheuber of Novell wrote on his blog, frankly some FUD about directory virtualization.



Matt Flynn and Dave Kearns have already responded. Dave does a very good job of explaining why this is FUD.



IMHO what's worse, is this continues the belief that the battle is
virtualization vs synchronization in a winner take-all scrum. Like many
things in life - it's more nuanced than that.



Since Oracle
provides directory virtualization, directory synchronization and
directory storage - we're not stuck into any particular strategy.
Though it is clear from talking to customers, virtualization is the one
they get most excited about. In my mind - synchronization everywhere
made sense when we didn't have highly available systems and high-speed
interconnects in our data-centers. But now we have all of these things
so virtualization makes much more sense. It's comparable to hardware
virtualization (Xen, VMWare,etc) - these really didn't become
mainstream (outside of the mainframe anyway) until the hardware
performance reached a point where it was feasible. Not to mention the
costs of adding additional systems, but that's another story for
another day.



In our experience the reality for many organizations is that identity
data is scattered among a variety of enterprise systems. This includes
various directories (for example could be split between staff &
customer directories or a directory per company subsidiary), databases
(central HR, CRM, etc)  and even occasionally Web Services (either
to access systems like mainframe or to provide an API type access to
database as opposed to raw SQL).



Most of these systems are already highly available, backed-up, secured,
backed-up and connected via high-speed networks in centralized
data-centers. And even if you need to connect to remote or support
fail-over as part of disaster-recovery - we have solutions there as
well. One benefit of being with Oracle - we do know something about
building "grid" enabled services.



The issue then becomes - "I'm deploying directory enabled applications
that needs a single view of directory data - how can I do this -
quickly, cheaply and effectively".



In many cases virtualization is a preferred choice because it is
quicker (and often, cheaper) to deploy because you don't
need  to deal with many of the other issues that come up with synchronization:

• Configuring yet another high-available datastore


• Configuring backups


• Configuring security for clients AND the storage system
  
  


• Maintaining the synchronization links & fixing problems when it breaks


• Spending the time determining what can be copied from a regulatory and intenral data-politics point of view


• Development of a standardized schema

All of these components add up to time and money. 



And you often find out you either can't copy everything
you need and/or can't create a standardized schema even if you wanted to.. This is because you
either find out that you end up giving out too much or too little
information for applications to use. And if an application needs a
specific directory view - then you have to repeat this entire exercise.



Directory virtualization, lets you avoid many of these headaches.
Because it's not synchronizing - this means you can avoid the time (and
expense) spent in configuring backups, HA databases and security for
new systems. You also don't need to worry as much about a universal
schema or specific application requirements because (at least with
Oracle Virtual Directory) you can create a specific view of the data
for individual applications.



Thus a single service can appear as multiple services to different
applications. As you can imagine this makes it much easier to deploy
and manage directory enabled applications.