Active Directory Alone Don't Make an Identity Management Solution
From time to time I find the need to get up on my soapbox and try my best to make a point. Microsoft Active Directory alone is NOT Identity Management!
It may be a very useful component, but, if someone asks you if you have IDM in place and you say, "Yes, I use Active Directory you have been sold a bill of goods, or have not been properly taught about IDM".
The idea that a "Directory Service" such as Active Directory or LDAP and Identity Management are the same thing is like saying owning a driver’s license makes you a race car driver. Simply having a directory service installed is actually more like owning a learners permit. Many small and medium businesses don't even have their directory services properly configured to provide the basics of IDM such as password policy and proper role management.
Don't feel too bad if this is you, this is a very common mistake in the wild, in fact, I would love to lose the term "identity management" altogether. The term is so diluted with similar IT terms like “profile management”, “single sign on (SSO)”, and “password management”, which are components of IDM. Business owners are put at a great disadvantage when talking about IDM with all this confusion in the marketplace, who can blame them?
The generic term Identity Management is associated with basically all things that have to do with entitlements, accesses, and authentication. Where a directory service is a very important function of IDM, it in itself is not IDM.
Have I driven that point home yet? I'm trying very hard.
Identity Management is part of a whole business strategy or set of controlled business processes that business management professionals use to manage the security policy for your computer network. This business strategy involves every system that requires a user to have access entitlements that should be controlled by role. These policies and controls need to be controlled by business management, but often, they are controlled by IT (technical folks), usually without taking into account the business strategy, business processes and goals.
Back to AD.
Microsoft is attempting to build more and more IDM functionality into the Active Directory system, and at some point very soon may address a larger part of the IDM stack. Not a bad thing right? Maybe, and maybe not!
The obvious drawback is that you can only manage users for system that support Active Directory. If your company logo also uses a rainbow butterfly in tribute to Microsoft, you hate penguins named “tux”, or you like the comfort of using only a single software vendor, you might not have a problem with this.
In reality, most companies do use products from other vendors that run on penguin power (aka Linux), or they may simply have a business strategy that supports flexibility. Our very own GreyTower product built by us, the people with directory services in the name support this business strategy, and are not tied to any single directory service.
Don't get me wrong about Active Directory, it is a very good system, and, but in the end, Active Directory alone, don't make an identity solution. If it did, Microsoft would not have the need to release its own Identity product called Microsoft Forefront Identity Manager.