Mergers and acquisitions (M&A) can be a key part of corporate strategy for growth and competitive advantage. M&A delivers its promise through the successful integration of two organizations and their business processes.
To achieve this from an IT perspective requires agility and flexibility, as well as maximizing the return on investment (ROI) on existing applications. The key for business process integration is to migrate separate user populations from two companies to the same business applications and IT systems. However, the big challenge is to support users from M&A companies that reside in multiple directories and databases.
Potential pitfalls of identity data consolidation/migration
Many applications, such as commercial off-the-shelf (COTS), portals, collaboration, access management and HR/CRM systems use a common protocol, LDAP, for authentication and authorization.
Most of these applications only work with a single LDAP source, though others have more than one LDAP source. And often there is data that is stored in non-LDAP sources, such as HR databases that must be leveraged for authorization decisions.
The situation is compounded in an M&A environment because the newly combined organization inherits all the LDAP and identity repositories.
One potential solution is to consolidate all the data into a single LDAP directory. However, there are several problems with this approach:
- It can take months to determine a proper data schema;
- Internal politics can increase the time to get people to buy into the schema and/or provide the proper data;
- Regulations may prevent data from being copied into a single system if the identity data crosses national boundaries;
- Applications may require their own specific views of the data;
- Synchronization takes time, which can cause problems when an immediate account disable has to be performed.
Technical advantages of virtual directory technology
Virtual directory technology was created to provide dynamic, real-time access to the source data from multiple repositories, thus avoiding the need to consolidate the data into a single repository.
Additionally, because virtual directories do not store data, they are more flexible. For example, if Application “A” requires one type of directory view but Application “B” requires a different view, a single virtual directory can resolve the issue without copying the data into another repository.
Virtual directories also have the ability to do protocol translation. They can provide an LDAP interface to existing non-LDAP data stores. For example, imagine that an organization has spent the past five years deploying a customer-facing application that stored its usernames and passwords in a relational database. The company decides to bring a new customer application on-line, leveraging existing customer identity information -- but it only works with LDAP for authentication and authorization. A virtual directory enables existing customer credentials to be used within the existing database without copying data into another LDAP datastore.
Business case for virtual directory technologies
There are two primary business cases for deploying a virtual directory:
- Reducing time to deploy applications;
- Increasing ROI of existing identity infrastructure.
1. Reducing time to deploy applications
If applications are using LDAP for authentication, authorization and/or personalization, determining what LDAP service to use can cause delays. In particular, if there are multiple LDAP stores (such as different stores for different business units) or if the application has specific LDAP requirements that the enterprise store doesn't meet -– this can delay application deployment by several months.
A virtual directory eliminates this barrier by providing a virtual aggregation of identity data. Also, if an application has different data requirements, the virtual directory can present a view of data that is specific to that application, often eliminating the need to extend the enterprise schema.
2. Increase ROI of existing identity infrastructure
In most organizations, identity data is not stored in LDAP-based repositories. Instead, it's managed in database-based applications including commercial HR or CRM products, as well as custom applications.
Traditionally, if this data was to be leveraged by an LDAP-based application, it would need to be copied into a directory server. Often, it was copied into multiple directory repositories because it was common for each application to have its own LDAP silo.
When each system requires its own backups, high availability and synchronization for regulations, the costs of managing these systems goes far beyond any software license fees.
The best way to get the highest ROI out of an HR or CRM system is to ensure that its data is used as much as possible with the least amount of copying of the data. One of the best ways to do this is to connect a virtual directory to the HR/CRM system.
Conclusion
A virtual directory provides a flexible and aggregated view of identity data without consolidating the identity data into a single store, which enables IT to realize the benefits of deploying standards-based identity applications while integrating with data sources that maintain a proprietary architecture.
This reduces the time and complexity of integrating new staff and systems as a result of M&A activities.