LDAP – the heart of the secure organization
by Ken Watt
Single sign-on (SSO) has long been a holy grail for security teams in large complex organizations. But the obstacles in the way of its universal deployment have so far proved to be too great - in particular the challenge of interfacing and synchronizing data held in the various directories that larger companies typically deploy.
These proprietary directories have traditionally been built around individual applications, which creates problems for anyone attempting to standardize or centralize user and application credentials.
But things are looking up. The accelerating adoption of LDAP (Lightweight Directory Access Protocol is finally offering hope to beleaguered security managers who have been seeking to integrate multiple enterprise directories - and so facilitating SSO.
Deploying LDAP across an entire organization can have significant benefits. Firstly, the problem of co-ordinating core directory data is solved. Users are given standardized access permissions that are defined by their role within the company. Authentication credentials can then be maintained centrally and referenced by a whole host of platforms and applications.
In terms of security, the gains are enormous.
Centralized and standardized administration enables effective management of user accounts across all platforms and applications. These can be easily updated throughout the employee's time at the company. Authorization processes and profiles can be managed and audited centrally, meaning that anomalies and abuses are identified more easily.
Uniform authentication parameters can also be set. These can be matched against stronger credentials, like tokens, where necessary. Finally, monitoring is simplified so that any potential security incidents can easily be spotted and dealt with.
But effective LDAP integration goes beyond centralising the three As of security; it can enhance the power of all networked applications. Single changes can be replicated across all directories and applications, which is far more efficient for both administrators and users. Users can also authenticate themselves with a single secure credential, which is far less prone to failure than a plethora of passwords and IDs.
However if LDAP represents network nirvana, there is still some work ahead before we reach this particular paradise. Although there are growing numbers of enterprises that have embraced LDAP successfully, there are many others that are still wrestling with a multitude of platforms, applications and databases that don't offer an easy route to integration and standardization. Before we give in to the hype, we need to consider the practicalities.
Take the example of a company with a significant Microsoft desktop and server community, many of which were running older operating systems that weren't LDAP compliant. Much of the desktop hardware was not up to running Windows 2000 or XP, in addition to a small but significant use of Apple Macs.
Furthermore, the server mix included Windows, multiple flavors of UNIX and AS/400 thrown in for good measure. Core business applications were a combination of commercial off-the-shelf and home-grown products, with little LDAP awareness in either. Lotus Notes was used for email, PeopleSoft for HR: each with its own directory.
A company such as this, which is not unusual, faces a number of choices when moving to an LDAP compliant system, with pros and cons on each side.
The first option is a heterogeneous Microsoft environment, using MS's Active Directory at the core with its Identity Integration Server (MIIS) as a 'Meta Directory' add-on that integrates different directories. There may be cost advantages to following this route, but it doesn't necessarily cover all users and certainly not all servers and applications. It also remains an internally proprietary platform despite its external LDAP interface.
The basic alternative is a core directory, external to Microsoft, with native LDAP integration and custom scripted connectors where required. A commercial LDAP directory, such as iPlanet, brings the advantage of supplier integration and support but at significant additional cost. On the other hand, open source-based LDAP has clear cost advantages but could leave organizations exposed in terms of support.
Introducing LDAP therefore is not a quick fix for the issues arising from obsolete platforms, bespoke applications, incompatibility and variety. It can however deliver benefits for the long term.
The good news is that there are many examples of organizations doing this very successfully. It requires vision, determination, a degree of patience and certainly a sound dose of pragmatism. But the work is worth it. The results where integration is achieved successfully can be startling.
LDAP has already made its mark and will eventually become ubiquitous. It will, however, take more time before non-compliant legacy applications disappear completely. In the meantime, organizations should identify the strategy that offers them the most effective route to directory integration over the shortest possible time, balancing the pros and cons of the various open and proprietary offerings.
The author is Consultancy Director, INSL