Because Identity Is More Than Your Username and Home Directory
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on Jul 16, 2008
Most of June and July has flown by. And of course the time I had to actually blog - we were upgrading the blog system so by the time it was live - I didn't have time.
Anyway - I think Clayton covered pretty much most of what I would have said at high level on the meta-directory feud.
One element I would point out in this continuing quest by James and others that seem to live in a world where AD is the one and only directory and I guess never have to deal with customers or subsidiaries or mergers or acquisitions (or maybe all of their kids college funds are only in MSFT stock??) - the fact is that for many organizations, there are attributes that are mastered in HR that may not exist elsewhere.
For example - cost center and manager. You might want to use that information to make an authorization decision on.
While you can - via provisioning system like OIM copy that data into AD - by doing so means you now burden your Windows admin on managing the data. Which has its own implications - for a single department, it might be manageable. But for an organization that is spread over multiple locations - that data must be replicated and that can take several minutes or hours.
Frankly there isn't any reason for this.
You could simply use identity virtualization to link (what we refer to as a split profile) your username & password in your enterprise directory (like AD) to the record in the central HR system. This could be pulling data from HR or it could be reading it from OIM.
The benefit of this is that you only have to manage, secure and make highly-available that data in a single location. Worried about what happens if that system is down for upgrade or concerned the database isn't optimized for queries -then you can use Oracle TimesTen (aka 11g DB In-Memory cache) to offset this.
And because you are leveraging identity virtuailzation it makes it easier to secure access to the sensitive data because you can specify which applications are making queries on the data and then periodically audit them to insure they are following your rules. But my belief is that if the data is available as a service - people won't copy it because it will be easier to just use it on the network.