Integration Ingenuity
Providing access control across different systems is imperative to meet compliance, regulations
IN a typical IT environment, heterogeneity is the standard -- in server operating systems, in database platforms and in software applications running on those servers. Mixed Windows®, Mac and UNIX/Linux environments, and all of the complications that come from supporting them, are a fact of life for almost all IT organizations. This situation will prevail as both Linux and Windows grow in the data center and more Java- and Web-based enterprise applications are deployed.
Organizations want heterogeneous servers and applications to be plug-and-play, so that IT does not have to spend time acting as a systems integrator or having to manually -- and expensively -- administer an ever-growing number of systems and applications individually.
Not surprisingly, achieving interoperability among the system and application platforms complicates life for IT managers. Organizations want heterogeneous servers and applications to be plug-and-play, so that IT does not have to spend time acting as a systems integrator or having to manually -- and expensively -- administer an ever-growing number of systems and applications individually. In addition, organizations want to leverage existing investments to get economies of scale, as budgets force the companies to do more with less. But most system and application vendors spend very little research and development efforts trying to make solutions play nicely with other, often competing, products.
The companies instead invest in an arms race by adding unique and differentiating features, and IT organization are left trying to manage islands of non-integrated computing infrastructures.
Leaving Systems As Is
Until recently, organizations dealt with the lack of cross-platform interoperability by leaving the islands of infrastructure as is and paying the overhead to administer systems in a separate and decentralized manner. Not only does the approach impact IT productivity, but it often forces end users to have multiple usernames and passwords for different applications, which can significantly impact the productivity and make the IT environment less secure, as passwords are often lost or stolen.
However, when it comes to managing and securing the heterogeneous and unintegrated environments, regulations, such as Sarbanes-Oxley, HIPAA and the payment card industry data security standard, call for standardized and centralized ways of controlling which users can access which systems, applications and data, and for auditing what those users did when they were granted that access.
Continuing to have separate and non-integrated mechanisms to centrally control access to key systems is no longer an option, as regulations clearly dictate that organizations should have a centralized mechanism to grant users appropriate access to corporate resources -- regardless of the platform that is being used. Some think only large, public companies need to meet the requirements. But, in fact, the requirements can be equally applicable to small retailers that accept credit cards comply with the payment card industry's data security requirements and that risk fines for failure to do so.
Different Paths
Faced with these issues -- compliance requirements; heterogeneous platforms; expensive, decentralized management; security vulnerabilities; multiple IDs and passwords per user; and pressure to reduce costs -- IT organizations have just a few paths to travel to reach a viable solution. Some of the paths include:
Do nothing and live with the balkanized environment. This short-term tactic is frequently accompanied by process or paper corrections. One company chose to solve the password change policy problem by having its administrators and developers sign an affidavit, asserting that they change their password on each system every 90 days. This hardly matches the intent of the law.
Many organizations feel forced into this situation while looking for a solution that fits a budget and doesn?t require intrusive changes to existing systems or business practices. The companies are willing to run the risk of being caught by regulators, or believe the money saved by delaying purchasing and implementing a solution will make up for any initial fines that may occur. Eventually, most organizations will have to understand potential fines will outweigh the savings from further delays and can cause negative publicity. Worse still is the security vulnerability the companies are exposing the organization to by not establishing the best practices prescribed by the regulations.
Try to implement an expensive and complex synchronization solution. Several existing identity management solutions leave existing systems in place and install solutions that map and synchronize user information and access rights between the various incompatible systems. There are a number of vendors to choose from in this category. But the approach has numerous problems
Extend an existing identity store to replace as many existing stores as possible. In this model, the goal is to select a central directory system that has a proven track record and a clearly defined future direction, and leverage that single identity system to replace and/or consolidate existing identity systems.
This option clearly makes the most business sense for solving the cross-platform identity management crisis. Consolidating and centralizing identity systems offers clear benefits in productivity, cost savings, security and reporting. The hard question to answer is: Which identity store has the potential to fill this need?
Active Identity
Given that active directory is an inseparable part of the Windows environment, and most organizations already have the system deployed, it is an ideal candidate for assuming the role as an organization's centralized identity system. Microsoft, however, focuses its efforts on the Windows platform and does not provide a comprehensive solution for embracing other platforms. This has led new identity management vendors, such as Centrify, to deliver solutions that extend active directory to platforms and applications that it does not natively support. Leveraging an existing active directory infrastructure also offers a cost-effective way to meet regulatory requirements within today's strained IT budgets.
IT organizations may be wary of leveraging a single directory for their enterprise access control needs, and it may be impractical to integrate a legacy identity system on a mainframe into a centralized environment. Still, a reduction in the islands of identity systems in the corporate network -- such as providing a single, integrated solution for Windows, UNIX, Linux and Mac -- can significantly improve end-user productivity, reduce operating costs, improve security and make it easier to meet regulatory requirements.
Regardless of whether you adopt synchronization or a strategy of embracing and extending an existing directory across the enterprise, it is essential to better integrate access control across heterogeneous systems to meet regulatory and compliance requirements. Regulations dictate organizations have a centralized mechanism to grant users appropriate access to corporate resources -- regardless of the platform that is being used. The security of organizations depend on it.
This article originally appeared in the November 2006 issue of Security Products, pg. 34.