Chief Technology Officer Deepak Taneja is in charge of technology strategy and initiatives at Waltham, Mass.-based Netegrity Inc., a leader in the burgeoning identity and access management market. He recently spoke with Tommy Peterson about how the Web has changed the notions of identity and access control in corporate computing, as well as the definition of an application. Taneja also described how Netegrity's technical focus is shifting to match those transformations.
Q: Identity and access-control issues have been around for as long as there has been corporate computing, but this particular market has emerged in the past four or five years. Why now?
In the mid-'90s, the Internet caused companies to think about putting intranets and extranets in place. As these extranets were developed, they provided an opportunity for companies like Netegrity to come in with technology that delivered security as a shared service for the entire extranet.
The center of gravity for us and other companies in the space was Web-based applications, which didn't exist 10 years ago. What's happened now is people have gotten control over their extranet, but they've got a mess on their hands inside the enterprise. So they're . . . unifying the infrastructure for the extranet and the enterprise. They're rationalizing the overall problem of how you connect users and principals in general to applications and resources, whether they're Web-based applications or non-Web, whether it's legacy or not, whether it's enterprise applications [or not], portal applications or nonportal applications. The real problem is how you connect users to those applications.
Q: How has your technology focus changed in the five years you've been at Netegrity?
The initial focus was access controls and authentication for Web-based applications. The user management side of things has become a whole lot more important. Companies have said to us, "It's great to take a policy-based approach to securing applications for the extranet, but help us manage our user populations. Help us delegate the administration of our user population."
We've been pulled in two directions. Customers say, "Help us deal with the enterprise problems," which is the provisioning issue, which is user management across the enterprise.
We've also been pulled out of the extranet with respect to business-to-business interactions with partners, with respect to business-to-consumer issues and from one Web site to another Web site. The real issue there is, How do you deal with partners and affiliates, and how do you federate your security? So the problem has grown -- it's stretched into the enterprise and stretched out to partner sites.
The other key change over the past few years is the shift in distributed computing to a service-oriented architecture. The very definition of an application is now changing. This whole space is based on connecting users with applications, but the application is no longer the application it used to be. It's not this big monolithic thing. It's now Web services, which are these relatively small things that can be reused and integrated.
Q: How do you differentiate your technology from your competitors?
How do you say, "This is the way we do it, and it's different from the way somebody else does it"? First, a key design principal for us is whatever we do, we do assuming it's a heterogeneous environment. So we have to support a heterogeneous environment. We're not a Microsoft that can make the assumption that all the applications are going to be Kerberos-based.
Second, the model to us is an end-to-end model. It's not merely about the extranet or about the enterprise or about the partner side. It's end to end, all the way from interactions with partners, interactions between users and extranet applications, interactions between users and enterprise applications.
A third issue is integration. A good way to think about it is, What do administrators deal with in managing this converged infrastructure? We think that giving them two different role models, two different delegated administration models, two different workflow models, two different auditing models is the wrong thing to do. All audit data goes to one place, and there's a single set of reports that people can run. The delegation model is the same whether you're a policy administrator or a user administrator. So provisioning, whether it's extranet user provisioning or enterprise provisioning, is the same workflow model.
Another really important point is the shift to service-oriented architecture. We started thinking about XML messaging and Web services security three and a half or four years ago. Through our partnerships, we are going to broaden our footprint in that area. The last point is scalability. We think in terms of tens of millions of users and hundreds of thousands of applications. We're not really worried about small companies here. This is about the needs of the Fortune 500 and the Global 2000.
Q: The conventional wisdom is that security is one of the biggest barriers to adoption of Web services. How do you specifically get over that barrier?
The challenge with Web services is that the standards are not in place yet. We've worked very diligently with other vendors to come up with SAML [Security Assertions Markup Language], and that's going to help us on the Web services side. But overall, there's a lot of potential standards battling for attention, and there's a lot political agendas in the mix. And without having standards in place, people are uncomfortable putting a Web services architecture in place that's based on one implementation or another.
Having said that, I think you can get started with what already has been standardized to some extent. So there's WS Security; there are companies coming up with WS Trust and WS Policy; and Sun has just announced something -- they're working with Fujitsu and a bunch of other companies on WS Reliability. All this will take time, but the basics are in place. WSDL, SOAP, UDDI, SAML -- you can get started, and I think a lot of people are starting to do that.
Overall, I think it will take a while before the standards come together and large companies feel comfortable committing to Web services.
Job Title: CTO
Accomplishments: More than 20 years of experience in network protocol development, directory services, network management and security. Prior to Netegrity, he led the development of Switchboard Inc.'s directory Web site. Before that, he was director of engineering at Banyan Systems Inc.