Analyzing Microsoft's approach to provisioning
By Nishant Kaushik on May 17, 2006
Gartner's MQ report on provisioning calls out the different approach that Microsoft has taken to the provisioning space. Termed the "enterprise access management" approach, it essentially advocates the externalized authn and authzn model that requires less pushing of data into target system repositories, and more pulling of data by the target systems from MIIS at runtime.
The Microsoft approach to provisioning has essentially evolved (not too far though) from the metadirectory roots of MIIS. In that vein, it misses some critical realities of enterprise provisioning today:
- An externalized approach is essentially invasive to existing applications, requiring them to change their operational model significantly
- Commercial applications are unlikely to adopt an externalized model any time soon
- Legacy applications, especially mainframe-based applications, that are frequently the target of phase 2 provisioning deployments, are never going to evolve to such a model
External authn and authzn models are going to become increasingly popular, especially as standards in the space become widely accepted. This will lead to some of the above realities fading away into the history books (albeit a long time from now). Any application development that enterprises embark on today should look at the externalized model as giving them tighter administrative control over their applications and enterprise. However, the middleware approach to provisioning will not disappear; rather the IdM system of the future will be a hybrid (integrated?) version of provisioning and authn/authzn engine.
Why? Both Microsoft and Gartner ("... the middleware approach, which addresses the management of the complex authentication environment ...") overlook an often-missed aspect of provisioning - that its coverage extends beyond mere authn and authzn data to operational data as well. Frequently, it is also about taking decisions and setting values of attributes that are calculated based on the data available to the provisioning system. This can be illustrated with a simple example involving one of Microsoft's own systems - MS Exchange. Very frequently, based on some real complex decision criteria, the provisioning system is not only responsible for determining who gets an exchange account, but which server they get their account on. This is especially important in financial institutions where the existence of "chinese walls" are mandated. The argument extends to various other applications, including custom applications that invariably have an underlying database configuration that needs management during the provisioning process.
And lets not forget all the cool Audit and Compliance features you get with the more traditional provisioning tools, that an externalized model simply would not support.
As Gartner pointed out, when implemented correctly, the access management approach can be a lower cost alternative. That is the reason it is often viewed as being geared more towards the SMB market. However, one thing to remember is that SMB customers are more likely to have deployed COTS applications that do not support externalized security controls. So, unless you are a small shop that has been able to restrict their critical infrastructure to a Microsoft stack, it is unlikely to be a viable option for some time to come.
Architecturally, the approach Microsoft is advocating is a nice clean one, and is definitely being considered in enterprises for their new application development projects. And it is an approach that is central to the "Application-Centric" message that we at Oracle are adopting as part of the hybrid, open future I mentioned above. This is a big part of making enterprise-class IdM a reality for all, especially the SMB market, and delivering a more scalable architecture infrastructure that enterprise architects have been craving for. I, for one, look forward to having some fun taking it from vision to reality.