Tuesday, September 16, 2008

Is WAM Complex?

Jeff Bohren responded to my post on Symplified yesterday, stating that although he agreed that most WAM solutions are complex, the OpenNetwork/BMC (now Symphony) solution doesn't fit that mold.
Admittedly, I don't have experience with the BMC solution, but Jeff makes a good case for its simplicity:

(it) could be deployed with nothing more than AD and access control agents on each web server. The access control agents served as both a PEP and PDP. No policy servers, APIs, or proxy servers required. The same accounts used for intranet login could be used for web access control and the policies could be expressed in terms of AD security groups.


A few questions, (pardon my ignorance). What if apps want to query policy information (for example, does this user have access to that resource)? Do they query AD directly? Might that not get complicated if there are a complex array of rules to crunch through? Some environments seek a web services based API rather than the (typical) java API. Who stands that up? What about the admin console? Who manages that? Also, doesn't agent management become a headache? Keeping up with different web server versions, and handling upgrades could cause admin overhead. I agree that the solution sounds easier, but for an admin with a mediocre skill set, it seems that it would prove challenging. I'd love to hear your thoughts/real life experiences.

My experience falls more in the cleartrust/siteminder/oam realm, and clients constantly complain about maintenance. Here is an example. Some years back, a company sought an access management solution, found one, bought it and contracted a consulting firm to implement it. They did, and left them with documentation just as any good firm would. Years later, policies required updating, certs started expiring, web services API was requested, redundancy was removed/neglected, and general failures became more frequent. I rummaged through old docs, and found a diagram from existing documentation (sanitized).
Besides the components shown, there was a BEA server that hosted the management interface, as well as a web services wrapper for the WAM API, and of course, agents on each web server. The infrastructure also included a CA used exclusively for the WAM environment (don't ask), and was therefore considered part of the same admin burden.
The client wasn't especially tech savvy, and explaining the difference between an authorization server, dispatcher, entitlements server, and how to ensure they were appropriately set up in failover mode, and how to troubleshoot when specific problems arose wasn't particularly easy. Most importantly, it wasn't the client's "fault" - they had a host of other applications they were tagged with managing (including a metadirectory, provisioning solution, security event management, directory services, etc.), and handling a WAM solution was just another component waiting to be neglected.
I don't think that this is an unusual scenario. Now even if the complexity level were cut in half, it's still quite a bit of infrastructure to handle for an admin staff that is already overburdened. Now imagine someone offers all of this in a hosted model, and a pretty appliance (or 2) in your infrastructure that you really don't have to worry about managing...

No comments: