Project Bandit to Open Source Identity Management Software
Published: June 13, 2006
by Timothy Prickett Morgan
Commercial Linux distributor Novell yesterday started a new open source project called Bandit, which it hopes will become a focal point for the development of software for managing access to computers, data, and applications. Rather than compete with other emerging standards that touch on identity management, such as the Liberty Alliance being promoted by Sun Microsystems or Project Higgins, launched by the Eclipse Consortium in December 2004 and championed by IBM and Novell starting this February, the Bandit project will try to incorporate these emerging standards and create open source implementations of the various aspects of identity management and access control.
But more importantly, says Dale Olds, the distinguished engineer at Novell who is heading up the Bandit project (that's a title, not our assessment of Olds' coding skills), Bandit is really about taking a slightly different approach to security and identity management. Novell, of course, has been peddling its Novell Directory Server, now known as eDirectory, on NetWare, Windows, Unix, and Linux platforms for many years. Before the company bought into Linux and after it decided it could not kill Windows with NetWare, decided to pick an area where Microsoft was not so strong: Directory and access control to services controlled by them. Olds worked on the NDS and eDirectory products, then had a stint at Linux distributor Turbolinux before returning to Novell. And he wants to take a different approach to controlling access to computer resources, and Bandit is about learning from the Internet and the way it developed.
Olds says that when the Berkeley Systems Design variant of Unix and its related Berkeley Internet Name Domain service (the implementation of the Internet's Domain Name Service that was created for BSD Unix) were created and available as open source programs, "this set a foundation for the Internet fabric that eventually allowed the Web to take off." The main beneficiaries of this open sourcing were, of course, companies like Cisco Systems, which created routers to manage network traffic, and server makers who created the platforms that embodied the Internet.
With Bandit, Novell wants to help foster a similar collection of open source programs that cope with identity issues. "We have learned a lot about identity in the enterprise space," explains Olds. "The Bandit project is about taking the functions of eDirectory and decomposing them into various pieces and then distributing them across the Internet." While very proud of the directory services he helped to create, Olds says that the IT industry has to create a system that has multiple identity sources in mind, not a single vendor's identity server.
And Bandit is not just about taking components of eDirectory open source and hoping that Novell will be the main beneficiary of that opening up of the code--although that is a factor in Novell's altruism. It's about creating a framework that allows different kinds of identity management software to plug into each other and work together. "Everybody recognizes that we need an identity fabric, and we all agree that we need to work together," says Olds.
The Bandit open identity services that were released yesterday under GPL or LGPL licenses include the Common Authentication Services Adapter, which Novell created for its Novell Linux Desktop commercial desktop operating system. CASA allows the caching of user and system credentials on a Linux system such that applications can have single sign-on functionality. CASA supports the Linux kwallet equivalent to Microsoft's Passport (remember that?) as well as for GKring and PasswordManager. Novell says that CASA will eventually weave into LDAP directories and Kerberos security programs. Bandit also includes Novell's implementation of the Project Higgins common identity service framework. The Higgins framework aggregates identity data from LDAP directories, Liberty and InfoCard profiles, and Linux etc/password profiles to create a cached, virtual identity.
Novell is also releasing a role engine based on the RBAC and XACML standards that feeds into the Higgins framework and allows for roles-based access to be integrated into any application. Bandit also includes a program called the Audit Record Framework (yes, that is ARF, and Bandit's logo is a dog with a black mask on) to keep track of who can access what and when they did; this is important for demonstrating compliance with regulations that govern access to data and applications. ARF includes open APIs that will allow compliance software to plug right into identity management programs that control access to computer resources. (They always make this sound so easy.)
And finally, Bandit includes something called FLAIM, which is short for the Flexible Adaptable Information Management service. This is a database engine for coping with traditional identity data as well as for volatile (meaning not persistent) and complex information. In Novell's view, the advent of XML and Web services based on XML requires a database architecture for storing identity data that is a bit more flexible than a traditional database that can process transactions, recover from a crash, process reliably, and scale to mange users.
Olds says that Novell will incorporate future Bandit technologies in its SUSE Linux distribution, and will support the project with money and developers as the Bandit community coalesces. For now, Novell is setting the long-term engineering goals for the project, but Novell says that it is willing to consider "other organizational models" as the Bandit community grows.
There's just one question: Why call security software Bandit? Isn't that counterintuitive? Counterproductive, even.