Down the Novell Identity Spiral with iChain

by Jacqueline Emigh

With the release of its iChain security appliance, Novell begins the march toward complying with the Liberty Alliance's identity management specifications. How will it fare against smaller security specialists like Netegrity and RSA?

For October, Novell is planning widespread availability of a new edition of its iChain security appliance. The new iChain will be Novell's first step toward complying with the emerging Liberty Alliance industry specs around the exchange of identity management information. Generally speaking, users and analysts applaud Novell's overarching vision for identity management and provisioning. Some raise questions, though, over how long it will really take Novell to fulfill its long-term roadmap.

Novell publicly rolled out two interrelated projects - codenamed Saturn and Destiny - at the Burton Group Catalyst Conference last summer. In Saturn, Novell expects to use Liberty Alliance 1.0 specs for exchanging identity management between companies, extending the idea of single sign-on to Web sites operated by multiple organizations.

Destiny expands this notion of "federated trust" into several other areas, including "dynamic identity," intelligent infrastructure, and the use of Web services for identity management.

"Dynamic identity is about the context in which you find the identities," said Ed Poole, Novell's director of product management for provisioning, during a subsequent interview. A specific end user might be given one "identity" and set of access rights in a systems administrators' group, and an entirely different "identity" in a corporate managers' group, for instance.

"More interestingly, you'll also be able to coordinate identities,"according to Poole. Novell is looking, too, at ways of using identity info to "make inferences about security," he added.

In Novell's concept of "intelligent infrastructure," network managers will be able to forego a separate policy engine. Instead, the directory will evolve into something that's able "to make intelligent decisions about data and relationships based on rules."

A UDDI server, mentioned as part of the Destiny announcement, is not, in fact, a separate server, according to Poole. Rather, UDDI is already built into the Novell eDirectory.

The new iteration of iChain will be the first to comply with Liberty Alliance 1.0 and SAML. "We've already introduced (the product) to early adopters, and we will make it more generally available in October," Poole pronounced.

"We'll be bringing out components over the next 18 months. Over time, they'll be pulled together into a common framework," he pledged.

By and large, network managers are very intrigued, but not yet entirely convinced. The Liberty Alliance-enabled iChain "sounds good on paper," according to Sean Welsh, one enterprise user. "'White paper' statements always sound good, though. I need to see an actual product before I can say much more about it," added Welsh, an administrator in Mount Sinai NYU's Core Engineering Distributed Systems Infrastructure.

"I've heard loosely about Saturn and Destiny, but I don't know how Novell is planning to package them at this point. Those things keep changing all the time, anyway. I'm kept well entertained by what I have right now," said Andy Konecny, a systems engineer at Canadian-based systems integrator Ainsworth.

"Federated management seems to make sense," he observed. "Ideally, technology will provide mechanisms for requiring 'true identities' for access across multiple Web sites, just as passports are required for gaining access into other countries. Right now, a lot of sites would let you pretend to be just about anyone - although if you claimed to be Bill Gates, for instance, somebody might notice!"

"PKI and federated management are two mechanisms that are slices of the solution. More than technology will be required, though," he predicted. "A lot of political stuff will need to happen, too. How are organizations going to determine which other organizations they should trust?"

Cate Quirk, an analyst for AMR Research, thinks administrators will get a lot of mileage our of end-to-end identity management. As Quirk sees it, directory services, provisioning, and access management are all pieces underneath the larger umbrella of identity management. "We'll have to see how useful this really is, though, when Saturn and Destiny become actual products," she acknowledged.

The cause of the Liberty Alliance is well served by announcements from big players like Novell and IBM, according to the analyst. Meanwhile, though, larger vendors are facing growing competition from smaller specialists. For instance, security vendors such as Netegrity and RSA have both started stepping into identity management.

Similarly, Roberta Witty, an analyst for Gartner Group, cites increasing convergence in the identity management space from product categories that include directory services; enterprise single sign-on; password synchronization and reset; extranet access management; and content and application delivery portals.

Meanwhile, neither Wells nor Konecny is beta testing the new edition of iChain. Both, however, seem mainly satisfied with the Novell products they're using. "Large enterprises get to do the bleeding-edge stuff with Novell Consulting. Then VARs like us get the technology, after it's been turned into products," Konecny noted.

Recently, though, Ainsworth used DirXML to synchronize Novell, ActiveDirectory, and Exchange directories for a small property management firm. The customer was upgrading its mail system from cc:Mail.

"DirXML is getting easy to install and use. We didn't even have to do any XML programming," the SI maintained.

Mount Sinai, on the other hand, has been working with Novell Consulting for a total of about seven months on a couple of projects. First, eight internal staffers collaborated with the consultants on a huge tree restructuring, made necessary by X.500 naming errors committed by earlier members of Mount Sinai's IT organization.

Then, in a single sign-on project, they used DirXML for integration between eDirectory; BEA Systems' WebLogics portal; Citrix Metaframe; and Netegrity SiteMinder. Windows 2000/NT users can now rely on the same IDs and passwords for accessing their desktop and network-based applications.

"Access to clinical applications has been extended beyond Metaframe to a remote access VPN. This will enable our lab facilities to sell to outside medical interests. We've also greatly improved our log-in speeds and ability to deliver to fat clients. At the same time, we've reduced our reliance on IPX, and we are now about six months away from being able to do away with IPX all together," contended Wells.

Wells hopes, though, that identity management will eventually give application developers the ability to support the graduated levels of security needed for HIPAA compliance, without needing to do separate coding for each application.

For its part, Novell might ultimately move beyond the plans mapped out in its Destiny roadmap. One possibility is a "viewer," for looking at users' identities from various perspectives, according to Poole.

Poole pointed to a current project at Microsoft, codenamed Polyarchy. "Polyarchy lets you look at the different identities in an organization in different ways. There's an organizational view and a geographic view, for example. This is an interesting type of approach that we certainly think has some value."

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Saturday Sep 14th 2002