I am at Netpro’s Directory Expert Conference in Chicago this week, and very excited to be here! I’m keeping my eyes and ears wide open for the latest tech and trends around Microsoft AD and Identity Management, and also participating at an experts panel this afternoon. Knowing that DEC is an action-packed event, I came a day early, and it was well worth it. Sunday’s ramp-up to DEC 2008 was a pre-conference workshop on Microsoft Identity Lifecycle Manager (ILM) 2 beta, Certificate Lifecycle Manager (CLM), Active Directory Federation Services (ADFS) and Active Directory Rights Management Service (ADRMS). It was a hands-on lab experience given by David Lundell from the Oxford Computer Group, who did a brilliant job putting it together.

Microsoft’s vision is to have Directory Services in the centre of a comprehensive infrastructure that supports Identity Lifecycle Management, Strong Authentication, information protection and federation. Harnessing the tools presented in this workshop, one can see where this is going. Although some of the components (specifically ILM 2) are still in beta and not expected to be released until the “second half of 2008”, the picture may still be a bit rough and blurred, but one can see that it will be quite a beautiful one, once completed.

I was particularly impressed by Certificate Lifecycle Manager (CLM), an add-on to ILM that facilitates string authentication, specifically in the area of smart cards. It seems that Microsoft has managed to add significant value to an area that is often notoriously difficult for many enterprises to implement. Starting with an abstraction layer to the underlying card’s hardware stack to a comprehensive lifecycle implementation, CLM supports the full work-flow of the whole lifecycle of issuance, PIN reset, revocation and retirement. Self service is of course part of the offering and is streamlined for efficient and secure management from initial issuance to retirement and secure recycling. Just like the Dot Net Factory, Microsoft is harnessing the new Windows Workflow Foundation for all of its workflow management. For data flow, uses its MIIS meta-directory technology.

Just before the session closed, Microsoft’s Bobby Gill gave us a “sneak peak” of some additional features of ILM 2 beta 3 “hot off the disk” that he compiled a few hours ago. It is obvious that many significant enhancements are still being made, and Microsoft is very actively involved with its beta partners to collect their feedback and make improvements before the official ILM 2 is released.

Back to keeping my eyes and ears open, and I shall be back soon with some more news from DEC 2008!

Hello World! I am excited to have joined Kuppinger + Cole, and my responsibilities will be around the technologies of directory services and identity federation. I would like to kick off my blog by writing about an acquisition that actually happened a week ago, when Nokia Siemens Networks announced that it will acquire Apertio, a Bristol, UK based vendor of telecommunications software. Now what does this have to do with identity management, or even with directories? Simple. Apertio specialises in a very specific type of directory server software. They have come up with a in-memory based, highly efficient and super-scalable directory server that supports LDAP as well as access through protocols used in the Telco space (SS7, IMS).

So what role do directory servers play in the Telco world? Mobile carriers for example, use something called an HLR (Home Location Registry) as the data store for operational subscriber data. A HLR is effectively like a very large directory server, or user database if you wish, that must be highly available (otherwise you might lose service), and highly scalable (able to support many thousands of operations per second, otherwise you, again, might not get the service at the time that you need it). Traditionally, HLRs were sold as “big black boxes” at a juicy prices to mobile operators. What Apertio has done was to very elegantly merge traditional directory server standards and technology with the telco world by writing a specialised directory server that would be accessible via LDAP, and traditional SS7-base telco protocols. Granted - their directory server was so much geared towards that particular use case that it was not sold (nor made much sense) as an enterprise directory. But what fascinated me about Apertio was that they pioneered in successfully marketing the fusion between a LDAP directory and Telco HLRs. At the same time, they were in a great position to also sell the successor technology, called HSS (Home Subscriber Server, part of the IP Multimedia Subsystem, or IMS - effectively the “next generation” in communications).

Apertio has made great inroads with that successful combination. How will technology evolve in the conversion zone between LDAP and HLR/HSSes? I for one, firmly believe that many directory servers are ready for “prime time” when it comes to the stringent demands of the telco industry. Some of the LDAP servers available today can support the thousands of operations required, have the resilience features, and some of them even support transactions. Now that Apertio, who sold their products based on a software solution turns into “boxed HLRs” and “boxes HSSes” with a Nokia Siemens label on them, there might be competition arising from a new company brave enough to add the missing piece to today’s directory server in order to turn them into the next generation telco equipment. I doubt that the traditional vendors will go directly into this - at the end of the day, companies such as Sun and IBM might not want to encroach on the telco equipment manufacturers with whom they have built successful symbiosis by offering competing products - but a third party might well jump into that space.

Very large directory server projects fuel some important developments at the major directory vendors and add scalability and new features that can, to an extent also benefit enterprises, and large service providers that need to store millions of customer entries. Multi-master replication, partitioning and transactional features are all examples of this - who knows if this technology would have been developed if not for one or the other very large directory project. It will be interesting to see who, if anyone, jumps on that bandwagon to offer the next software based HLR/HSS systems based on LDAP technology, and how this may affect directory server vendors in making their software better and faster.