Celebrating 20 Years of Innovation and Customer Excellence!

Celebrating 20 Years of Innovation and Customer Excellence!

Search
Menu
Try Optimal IDM

The Only Cloud IAM with a Built-In Virtual Directory

 

Here’s a question that reveals a fundamental difference in how IAM platforms work: where do your identities actually live? 

For most cloud IAM solutions, the answer is simple—they live in the vendor’s directory. You sync your Active Directory to their cloud, copy your HR data into their system, and maintain yet another repository of identity information. Every time something changes on-premises, you wait for the next sync cycle to propagate that change to the cloud. 

The OptimalCloud works differently. It’s the only cloud IAM platform built on a true virtual directory—and that architectural difference changes everything. 

The Synchronization Problem 

Traditional cloud IAM platforms require synchronization. They need a copy of your identity data in their system before they can manage access. This creates several problems that organizations discover only after they’ve committed to a platform. 

The first problem is latency. When an employee is terminated, how long does it take for that termination to revoke their cloud access? If you’re relying on scheduled sync cycles, the answer might be hours. That’s hours during which a disgruntled former employee—or someone who has compromised their credentials—can still access sensitive resources. 

The second problem is data duplication. Every system that maintains a copy of your identity data is another system that must be secured, another system that could be breached, another system that could get out of sync with reality. Data duplication doesn’t just create operational overhead—it creates security risk. 

The third problem is complexity. Large enterprises don’t have one Active Directory; they have dozens, sometimes hundreds—the result of mergers, acquisitions, and organic growth over decades. Synchronizing all of those directories to a cloud IAM platform is a massive undertaking. Keeping them in sync is even harder. 

The fourth problem is data sovereignty. Some identity data can’t leave certain jurisdictions. Some organizations can’t copy employee information to third-party cloud systems due to regulatory requirements or contractual obligations. For these organizations, traditional cloud IAM is simply not an option. 

What Is a Virtual Directory? 

A virtual directory—sometimes called a virtual identity server or VIS—solves these problems by eliminating the need for synchronization entirely. 

Instead of copying identity data from source systems into its own directory, a virtual directory creates an abstracted, unified view of identity data wherever it lives. When the OptimalCloud needs to authenticate a user or evaluate their access rights, it queries the authoritative source systems in real time. There’s no copy. There’s no sync. There’s just a live connection to the truth. 

This approach has profound implications for how identity management works in practice. 

When an employee is terminated in Active Directory, their access through the OptimalCloud is revoked immediately—not at the next sync cycle, but right now. The OptimalCloud doesn’t need to receive an update because it’s reading directly from the source. 

When your organization acquires another company with its own directory infrastructure, you don’t need to migrate their users into your directory before they can access resources. The OptimalCloud simply connects to their directory and presents a unified view. Users can authenticate on day one. 

When regulatory requirements prohibit copying certain identity data to external systems, the OptimalCloud complies automatically—because it never copies the data in the first place. 

The OptimalCloud’s VIS Foundation 

The Optimal IdM Virtual Identity Server (VIS) isn’t a feature of the OptimalCloud—it’s the foundation on which the OptimalCloud is built. This architectural decision distinguishes the OptimalCloud from every other cloud IAM platform on the market. 

The VIS can connect to virtually any identity data source. Active Directory, LDAP directories, SQL databases, HR systems, SaaS applications, custom-built identity stores—the VIS can integrate with all of them. It supports standard protocols like LDAP and SCIM, as well as custom APIs for proprietary systems. 

What makes the VIS particularly powerful is its ability to aggregate and correlate identity data across these sources without synchronization. A user might exist in multiple directories—a primary Active Directory for their employee account, a partner directory for external collaboration, and an HR system that contains their authoritative employment information. The VIS presents these as a unified identity, enabling consistent access policies regardless of which source system contains the relevant data. 

This capability is especially valuable for large enterprises with complex directory environments. Rather than attempting to consolidate dozens of directories into one—a project that often takes years and never fully succeeds—organizations can deploy the OptimalCloud immediately, connecting to directories as they exist today. 

Real-World Impact 

Consider a global manufacturing company with operations in thirty countries. Over decades of growth and acquisition, the company has accumulated more than fifty Active Directory forests, each managed independently by regional IT teams. Traditional cloud IAM would require consolidating or synchronizing these directories—a multi-year project with significant risk. 

With the OptimalCloud, this company can deploy cloud IAM immediately. The VIS connects to each directory, creating a unified view that enables single sign-on across the entire organization. Users authenticate against their local directory, but access policies are enforced consistently worldwide. When a user’s employment ends, access is revoked immediately in real time, regardless of which regional directory manages their account. 

Consider a healthcare system that must comply with strict data residency requirements. Patient data must remain in specific jurisdictions, and employee identity data is subject to similar constraints. Traditional cloud IAM would require the healthcare system to copy identity data to the vendor’s cloud—a potential compliance violation. 

With the OptimalCloud, identity data never leaves the healthcare system’s infrastructure. The VIS queries source systems in real time, enforcing access policies without copying data anywhere. The healthcare system achieves the benefits of cloud IAM without the compliance risk. 

Consider a professional services firm managing access for both employees and thousands of client organizations. Each client has its own identity infrastructure, and the firm needs to federate access across all of them. Synchronizing identity data from hundreds of client directories would be impractical. 

With the OptimalCloud, the firm federates with each client’s directory directly. The VIS brokers authentication requests, routing them to the appropriate client directory and applying consistent access policies regardless of where the user’s identity lives. Clients don’t need to change their infrastructure, and the firm doesn’t need to manage thousands of synchronized directory copies. 

Beyond Basic Federation 

Some IAM platforms claim to solve the synchronization problem through federation. And federation is part of the answer—it allows users to authenticate against their home directory rather than a cloud copy. But basic federation has limitations. 

Federation typically works at the application level. You federate access to application A with one directory and access to application B with another. This works for simple scenarios, but it doesn’t provide the unified view needed for sophisticated access policies, analytics, or orchestration. 

The VIS goes beyond federation by providing a unified identity layer that spans all federated sources. When the OptimalCloud evaluates an access policy, it can consider attributes from multiple sources—role information from Active Directory, employment status from the HR system, certification data from a training database, risk scores from a security analytics platform. All of this happens in real time, with no synchronization required. 

This capability enables access policies that would be impossible with synchronization-based IAM. Policies like “grant access only to employees who have completed security training in the last ninety days and are not on a travel hold list” require correlating data from multiple systems. With synchronization, you’d need to copy all of this data to the IAM platform and keep it continuously updated. With the VIS, you simply connect to the authoritative sources and query them when needed. 

The Competitive Advantage 

The virtual directory architecture is the OptimalCloud’s most significant technical differentiator. Competitors like Ping and Okta require synchronization because their platforms were designed around centralized directories. Retrofitting a virtual directory architecture onto a synchronization-based platform is technically difficult—and none of the major competitors have done it. 

This means organizations choosing between the OptimalCloud and its competitors aren’t just choosing features—they’re choosing architectures. And architecture decisions have long-term consequences. 

Organizations that choose synchronization-based IAM will continue to deal with sync latency, data duplication, and directory consolidation challenges for as long as they use those platforms. Organizations that choose the OptimalCloud avoid those challenges entirely. 

Making the Decision 

If your organization has a single, well-managed directory and no plans for growth, acquisition, or complex federation, synchronization-based IAM might be adequate. But few enterprises match that description. 

If you have multiple directories, anticipate mergers or acquisitions, need to federate with partners or clients, face data residency requirements, or simply want real-time revocation rather than sync-cycle-dependent security, the OptimalCloud’s virtual directory architecture offers substantial advantages. 

The question isn’t whether virtual directory architecture is better—architecturally, it clearly is. The question is whether that architectural advantage matters for your organization. For most enterprises, the answer is yes. 

Contact us for more information.

 

Frequently Asked Questions 

What is a virtual directory in identity management? 

A virtual directory in identity management is a technology that creates a unified, abstracted view of identity data from multiple sources without copying or synchronizing that data into a central repository. Instead of replicating identity information from Active Directory, LDAP directories, HR systems, and databases into the IAM platform, a virtual directory queries these sources in real time and presents a consolidated view. This eliminates synchronization latency, reduces data duplication risks, and ensures that access decisions always reflect the current state of authoritative source systems. The Optimal IdM Virtual Identity Server (VIS) is the foundation of the OptimalCloud’s architecture. 

What is the difference between directory synchronization and virtual directory? 

Directory synchronization copies identity data from source systems into a central directory, requiring scheduled sync cycles to keep the copy up to date. This creates latency—changes in source systems aren’t reflected until the next sync completes, which can be hours. Virtual directory technology takes a fundamentally different approach: instead of copying data, it connects directly to source systems and queries them in real time. There’s no copy to maintain, no sync cycle to wait for, and no latency gap during which access decisions are based on stale data. When an employee is terminated in Active Directory, a virtual directory reflects that change immediately. 

How do you consolidate multiple Active Directory forests without migration? 

Consolidating multiple Active Directory forests without migration is possible using virtual directory technology. Rather than undertaking a complex, multi-year directory consolidation project, organizations can deploy a virtual directory that connects to each AD forest and presents a unified identity view. Users continue authenticating against their existing directories while the virtual directory enables consistent access policies, single sign-on, and centralized governance across all forests. The OptimalCloud’s VIS can integrate with dozens or hundreds of AD forests simultaneously, providing immediate consolidation benefits without the risk and effort of actual directory migration. 

What is cloud IAM without synchronization? 

Cloud IAM without synchronization refers to identity and access management platforms that don’t require copying identity data from on-premises directories to the cloud. Traditional cloud IAM solutions need synchronized copies of your Active Directory, HR data, and other identity sources before they can manage access. This creates sync latency, data duplication, and potential compliance issues when identity data must remain on-premises. The OptimalCloud delivers cloud IAM without synchronization by using its Virtual Identity Server (VIS) to connect directly to on-premises and cloud identity sources in real time. Identity data stays where it is; only authentication and authorization decisions flow through the cloud. 

 

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.

Archive

  • 2026

  • 2025

  • 2024

  • 2023

  • 2022

  • 2021

  • 2020

  • 2019

  • 2018

  • 2017

  • 2016

  • 2015

  • 2014

  • 2013

  • 2012

  • 2011

  • 2010

  • 2009

  • 2008

  • 2007

  • 2006

    • ...

    Get Started Today

    By clicking Submit, you consent for us to use your personal data for sales and marketing efforts. If this is unacceptable, please contact us via telephone.

    • Connect With US
    Copyright © 2026. All Rights Reserved