Tech mahindra
Tech mahindra

IAM - Is Building Consolidated Identity repository a must for an Org - Internal

Posted by: Nilesh Shirke On May 11, 2011 12:05 PM

IAM - Is Building Consolidated Identity repository a must for an Org - Internal

I always come across questions from customer about automation of user provisioning / deprovisioning. For provisioning Enterprises generally create user identities first in HR system (Oracle, SAP etc.). Then these identities are carried (could be manual or automated process) to different applications for provisioning. The format of these identities may or may not be similar. Each application would have user attributes defined according to that individual application needs. When Enterprises grow in size, user identity management becomes very challenging task in itself. On top of this, 30% to 40% Help Desk costs accounts for identity & password calls. Managing these user identities & confining it to the standard process becomes very important. The key drivers are

• Cost savings by reducing the manpower for Help Desk, dashboard with consolidated view of identity Information
• Centralization of identity information on which centralized authentication for the Enterprise can be based on. Easier identity lifecycle management.
• Easier identity migration and/or consolidation efforts in case of mergers & acquisition

I feel the first step of these efforts should be consolidation of the user identity information, whether it requires a centralization of the identity storage itself remains to be seen.

• Option 1 – Meta Directory - Use of Meta directory as single source of identity repository (Union of identity silos and/or centralization of identity information)
• Option 2 – Virtual Directory - Use of Virtual Directory sitting in front of all identity stores & using it as an authentication source.

Identity and access management (IAM) adoption is on rise now a day. The IAM solution involves user identities and they are stored in directories / DBs. Through standards, directories provide a platform- and vendor-independent security service. Though directories are similar to databases in that they store information, in a distributed environment, directories are much more flexible, secure, and easier to interface to. To facilitate potentially unlimited scalability, directories organize their data hierarchically. Directories are designed for fast response times to queries as information in a directory is generally queried much more often than it is updated.

A question that remains to be answered i.e. whether to consolidate user store or just aggregate user information?
Managing Enterprise’s user identities & building standard set of process around the identity solution has become vital. The first step of these efforts would be consolidation of the user identity information and/or centralize the identity storage.

information into a single user store. It then can be used as source of authentication for the Enterprise. But with the mergers, acquisitions, and IT automation, it’s sometimes not advisable to centralize the identity information as the scale of efforts is too much to handle. Putting a virtual directory solution in front of distributed identity stores would reduce operational costs in the management identities in the centralized storage at the same time centralize the Identity information to serve as Foundation for web portals as well as enterprise applications.

Strengths in this approach are,
1. Cost – Identity information can be sourced individually from the lowest-cost provider.
2. Aggregation: Attributes from multiple sources can easily be combined into a single identity whenever needed.
3. Authority: Each attribute can be drawn directly from its authoritative source.
4. Timeliness: Identity information can always be retrieved from an authoritative repository at the time of use, eliminating identity syncing every now & then
5. Provider independence: Switching providers does not involve migration. Vendor advantage is based solely on cost and quality.

Weaknesses are,
1. Trust: Identity assurance practices, audits, regulations, and business terms for third-party identity providers are not yet mature.
2. Accountability: There is no clear legal or contractual remedies are available to the enterprise that relied on the information provided by third party if it happens to be inaccurate.

The future of IAM will be driven toward by the compelling business advantages of an open identity market, which can provide high-quality identities at low cost. This leads me to believe the implementation of a distributed Identity infrastructure and pulling identity information in a centralized manner whenever it’s needed. Hence I believe that IAM landscape will evolve toward a market for identities supported by a Virtual Directory infrastructure.​

Tags: Security
(*) symbol is mandatory field
* Email Address:


(*) symbol is mandatory field

Post a Comment

* First Name:
* Email Address:
Image Code
* Enter Image Code

Contact Us


For further information please write to

For further information please write to