The adoption rate of cloud-based and Software-as-a-Service (SaaS) applications has been dramatic, and it is only accelerating. According to a recent survey by Forrester Research, more than 50% of enterprises state they either currently use cloud services or are actively experimenting with them.
While enterprises continue to migrate a significant portion of their infrastructure to the cloud, using applications like Salesforce.com or Google Apps, they also need to maintain their existing infrastructure—most likely a mix of Active Directory (AD), Lightweight Directory Access Protocol (LDAP) directories, and various databases and proprietary applications.
Having this infrastructure disconnected from the cloud can increase expense, complexity and expose additional security risks. Many enterprises are grappling with how to get the benefits of the cloud while leveraging existing infrastructure and effectively managing and integrating the disparate environments in a secure way.
This fundamental shift presents several challenges and opportunities:
- For enterprises moving toward cloud and SaaS-based systems, the adoption of each new system requires providing user as well as other key data into each new system. In the short term, this problem can be addressed by provisioning users (identities) into each new system. Longer term, these systems will be architected to consume this data from the enterprise via secure standard protocols. Before that happens, the more this data gets distributed across many systems, the greater the need to bring it together logically—to manage globally and act locally, in other words.
- For enterprises building cloud or SaaS services, the need to create and manage a multi-tenant environment becomes critical. The infrastructure must allow for each tenant environment to be isolated from a security perspective, while still enabling a global view of all tenants—again, the ability to manage globally, yet act locally.
A Salesforce.com Example
Lets assume, for example, the sales region and list of accounts for a sales rep are stored in Salesforce.com. Since not all employees have access to Salesforce.com, the enterprise has also created an internal portal where non sales-related employees can find sales reps and customer information. In this scenario, there are typically three hurdles that need to be addressed:
- Managing the provisioning/de-provisioning of internal users in Salesforce.com. This is a time-consuming manual process and security is an important factor. If terminated employees are not de-provisioned correctly, they could access information they should not be able to see.
- Dealing with a high number of password management issues because users have a separate account in Salesforce.com. Depending on how this is configured, users may have to remember an additional password and sign into this environment again even if they have already signed into other enterprise applications.
- Data about salespeople and accounts in Salesforce.com will not be visible to other enterprise systems, such as the internal portal mentioned above. However, access to this information is a key requirement for other business functions (for example, the distribution of new leads or contacting the correct sales rep in case of a customer issue).
Enter the virtual directory. A virtual directory acts as an abstraction layer across disparate systems, reaching into all these systems and bringing the information together into a single view.
By leveraging a virtual directory, an enterprise can now accomplish the following:
- Automate the provisioning and de-provision of users in Salesforce.com based upon membership in an LDAP group.
- Create a centralized view of internal user information with attributes coming from LDAP and Salesforce.com that can be surfaced through the portal.
- Create a centralized view of an identity that exposes, for example, a combined user profile coming from the enterprise directory and Salesforce.com (including the accounts that that user is responsible for) or the customer information coming from Salesforce.com and the information from the accounts payable database (including whether the account is current on their payments).
Virtual Directory—Delivering Flexible Identity and Context Views For Each New Initiative
With the a virtual directory server, enterprises can create custom views of data that span disparate systems —enterprise and cloud/SaaS—and deliver the data via different protocols, for example LDAP, SQL, Web services, based on the needs of the application.
This ability could be leveraged to automate the provisioning and de-provisioning of users in and out of Salesforce.com based on membership in a group in an enterprise directory or to set up a centralized view inside a portal that includes information coming not only from their internal repository, but also from Salesforce.com and other cloud/SaaS-based systems.
By being able to reach into disparate enterprise and cloud/SaaS systems, enterprises are able to solve business problems such as: “How can I find the name of the sales person responsible for this account with expertise in this domain?”
The Virtual Directory as a Centralized Identity Hub
In essence, a virtual directory creates a centralized identity hub for accessing information coming from enterprise internal sources, such as directories, databases and web services, as well as services out in the cloud, such as Salesforce.com, Twitter, LinkedIn, and others—all without having to make changes to enterprise applications that expect a single data source. This integration layer allows enterprise users to not only read this information, but also update it through this centralized hub.
While moving to the cloud is inevitable, so are the issues that result in trying to integrate information in the cloud with information in an enterprise infrastructure. By using a virtual directory, companies can move more effectively to the cloud, creating an abstraction layer for deployments and architectures that involve both internal and cloud-based systems. And as companies look to expand into other cloud services, improving secure access to enterprise information both inside and outside the cloud will only help speed adoption.
Dieter Schuller is vice president of sales and business development at Radiant Logic.
Radiant Logic, Inc is a provider of virtual directory solutions for identity management and enterprise information integration.