First things first: Priorities in building Identity Infrastructure

Building an effective identity infrastructure means prioritizing the initiatives required for that infrastructure and implementing them in the proper order. This will increasingly become a critical e-business success factor.

Building an effective identity infrastructure means prioritizing the initiatives required for that infrastructure and implementing them in the proper order. This will increasingly become a critical e-business success factor.

META Trend:
Driven by the need for scalable services, a unified "identity infrastructure" will slowly (2000-04+) emerge based on directory, authentication (first Web single sign-on, later PKI), and management utility components.

PKI will proliferate for centralized management of external users (2000/01), internal users (2001/02), and consumers (2003/04). Enterprise-scale functionality, application externalization via directories (LDAPv3), public interoperability, and outsourcing solutions will remain problematic through 2003/04.

Give us your take on building IT infrastructureYES

Organizations are increasingly discovering the need for an identity infrastructure, serving a dual purpose: providing for e-business and streamlining internal infrastructure operations. Indeed, there are often so many requirements in these areas that fulfillment prioritization becomes confusing within IT project management offices, particularly when implementing two strategies (i.e., one for e-business, the other for internal needs). Such offices rarely have adequate resources to meet every requirement.

Effective deployment strategies also require some projects to be completed as foundations for others. It is vital IT organizations be able to quickly identify, prioritize, and implement the initiatives necessary to build the enterprise and e-business identity infrastructure.

E-business requirements for identity infrastructure will impact directory and authentication/authorization services deployments through 2001 as they compete for infrastructure resources and focus. A dual strategy for enterprise (i.e., internal) and extranet (i.e., external) identity infrastructures will be required through 2001 as well.

IT organizations will continue to struggle with ownership and quality of data issues across multiple directories during deployment (2001-03). Extranet infrastructure creation will be the dominant concern for most through 2003, and deployments will be double the rate of the previous two years.

Consolidation and standardization of internal infrastructure will occur concurrently. Though some integration will occur between external and internal identity infrastructures, a single solution addressing both environments will elude most organizations through 2006.


As a first priority, many organizations currently have a unique, but limited, window of opportunity to construct an identity infrastructure for e-business and get it right.

Give us your take on building IT infrastructureYES

This involves the careful selection of directory services, authentication/authorization capability (i.e., Web-based single sign-on), delegated administration services, and methods of ensuring the quality of directory data.

The primary purposes of the extranet identity infrastructure are:

  • Provide a repository for business partner and customer directory information
  • Provide a common infrastructure layer for authenticating and authorizing users of Web-enabled applications across security infrastructures (e.g., firewalls, demilitarized zones)
  • Provide services to manage the directories themselves across multiple enterprises
  • Ensure the accuracy of the directory data, particularly when extracts and replication of internal directory data is required to create or feed the extranet directory
    Ensuring an external identity infrastructure that is adaptive is the second key priority. Authentication and authorization solutions must be able to evolve efficiently into more robust security mechanisms, incorporating such technologies as public key infrastructure (PKI) without significant effort or modification.

    Directory schema must be designed (and documented) flexibly and simply to incorporate a changing set of business partners and customers, as well as absorb merger, acquisition, and divestiture activities. Applications must be chosen and/or written based on their ability to integrate with the Web-enabled single sign-on solution. Even projects involving corporate intranets should be capable of reusing large portions of the external infrastructure.

    Internal Priorities
    Often organizations make a priority decision regarding identity infrastructure without realizing it when they upgrade the corporate network operating system (NOS). Whether the decision is Novell eDirectory or Microsoft Active Directory, a strategic component of the enterprise strategy is chosen with this decision.

    Microsoft's current strategy for Active Directory services is more focused on taking Novell market share and moving Microsoft NT 4.0 users to Windows 2000 than on actually establishing Active Directory as the centerpiece for both internal and external identity infrastructure.

    Give us your take on building IT infrastructureYES

    Novell's current strategy is to establish eDirectory as both an internal and external solution, but it faces formidable competition from Microsoft in the internal enterprise and iPlanet in the external environment.

    While Novell's eDirectory is still a superior product to Active Directory, IT organizations must now decide if Microsoft's solution is "good enough" for their business needs, because it comes as part of Windows 2000 Server and few organizations are willing to continue with mixed NOS environments when performing an upgrade. Novell's future as a company will be determined by the adoption rate of eDirectory for both environments (i.e., internal and external).

    The NOS directory serves as a foundation for an enterprise identity infrastructure, but deployment is actually part of a series of strategic initiatives. NOS upgrades and e-mail application reductions (if there is more than one e-mail system) should be part of the first phase of reduction (i.e., reducing the number of directories in an organization).

    However, undertaking such an effort requires a detailed inventory of existing directory services within the enterprise, an effort consistently underestimated. Consolidating remaining directories, particularly "people store" information (e.g., human resources, authentication tables for applications access), is the second phase.

    Phase three involves synchronizing critical data within the remaining directories where applicable. This may require significant management tools and some organizations may even dictate the use of metadirectory services.
    To implement an effective identity infrastructure for the organization, IT groups should remember:

    External first:
    Build an adaptive infrastructure for e-business; provide single sign-on and management for applications; ensure security

    Internal second:
    Finish the NOS wars; reduce, consolidate, and synchronize directory stores (in that order); use external infrastructure wherever possible

    Business Impact:
    It is not enough to identify critical business requirements and their solutions for an organization. Discerning the priority of implementing those solutions for those requirements is the key to success.

    Bottom Line:
    IT organizations must identify the requirements of identity infrastructure across their enterprise, and prioritize them for implementation according to business need and available resources.