A good primer on Authoritative Identity Stores

Just a quick one. Many of us spend too much time thinking about and dealing with all these new, shiny Information Security "toys" (a lot of which is just hype and marketing). The problem is that we sometimes lose sight of the core pieces.

One of the basic, important steps in implementing an Identity Management infrastructure is the planning around where your new, shiny provisioning engine is going to get all the identity information it needs. Sometimes the answer is very straightforward (e.g. "oh, we just suck all the information out of the HR system"). Unfortunately, life is not always this simple. Quite often, you need to think about where your disparate, authoritative sources of identity information are. Once you figure that out, you then need to determine how to get that information easily (in a manageable and maintainable way) on a regular basis, preferably in an automated fashion.

Your friendly sales rep at whatever software vendor you deal with will immediately throw a tool at you. This said tool will probably be one of the following:

• An LDAP directory which includes synchronisation capabilities with other data stores.
• A Relational Database (RDBMS) which includes synchronisation capabilities with other data stores.
• A plain old synchronisation tool that transports data between various sources.
  
• A Meta-Directory (which could leverage an LDAP or RDBMS depending on the architecture).
• A Virtual Directory (which could leverage an LDAP or RDBMS depending on the architecture).
  

Before you bring your favourite software sales rep in to beat you over the head with their tool, take a step back and think about how you actually want to solve the whole Authoritative Store issue. If you're not sure where to start, Matt Pollicove's written a whitepaper outlining how one might go about doing it (actually released over a month ago, but it's been on my "to-read" list until today when I finally got around to it). It's a pretty good read for those that want to get an informed start on the things you need to be considering and how you might go about putting a solution together. Matt also does a good job of talking more about abstract concepts instead of telling the reader which tool to use in each situation (because there's no right answer - it depends on what your requirements are).

I'll stop now because I don't particularly want to start the "Directory Trek Wars" again despite the fodder it would provide me to do part III :-)