The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway



Similar documents
The Essentials Series: Enterprise Identity and Access Management. Authorization. sponsored by. by Richard Siddaway

Administration Challenges

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Mitigating Risks and Monitoring Activity for Database Security

Enabling Useful Active Directory Auditing

Tips and Best Practices for Managing a Private Cloud

Understanding & Improving Hypervisor Security

Maximizing Your Desktop and Application Virtualization Implementation

Protecting Data with a Unified Platform

Streamlining Web and Security

Best Practices in Deploying Anti-Malware for Best Performance

Controlling and Managing Security with Performance Tools

Fulfilling HIPAA Compliance by Eliminating

Steps to Migrating to a Private Cloud

Making Endpoint Encryption Work in the Real World

Protecting Data with a Unified Platform

Maximizing Your Desktop and Application Virtualization Implementation

How Configuration Management Tools Address the Challenges of Configuration Management

Maximizing Your Desktop and Application Virtualization Implementation

Securing Endpoints without a Security Expert

Maximizing Your Desktop and Application Virtualization Implementation

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

Why Endpoint Encryption Can Fail to Deliver

Auditing File and Folder Access

Using Web Security Services to Protect Portable Devices

Non-Native Options for High Availability

The Art of High Availability

Relating High Availability Metrics to Business Value

Matching High Availability Technology with Business Needs

Understanding the Business Benefits of Managed Services

Virtual Machine Environments: Data Protection and Recovery Solutions

Single Sign-On for Kerberized Linux and UNIX Applications

Becoming Proactive in Application Management and Monitoring

Real World Considerations for Implementing Desktop Virtualization

Protecting Data with a Unified Platform

Eradicating PST Files from Your Network

Collaborative and Agile Project Management

Account Access Management - A Primer

How to Install SSL Certificates on Microsoft Servers

The Next-Generation Virtual Data Center

Data Protection in a Virtualized Environment

Real World Considerations for Implementing Desktop Virtualization

How to Install SSL Certificates on Microsoft Servers

Solving the Storage Challenge Across Platforms: Transparent Compression for Windows Operating Systems

Collaborative and Agile Project Management

Quickly Recovering Deleted Active Directory Objects

Lowering Costs of Data Protection through Deduplication and Data Reduction

The Business Case for Security Information Management

Where Do I Start With Virtual Desktops?

CA SiteMinder SSO Agents for ERP Systems

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Active Directory 2008 Operations

Active Directory and DirectControl

How Are Certificates Used?

Replication and Recovery Management Solutions

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Developing a Backup Strategy for Hybrid Physical and Virtual Infrastructures

Whitepaper: Centeris Likewise Identity 3.0 Security Benefits

How the Software-Defined Data Center Is Transforming End User Computing

Privileged Password Management Systems

How to Use SNMP in Network Problem Resolution

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

How to Install SSL Certificates on Microsoft Servers

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

The Evolving Threat Landscape and New Best Practices for SSL

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

The Administrator Shortcut Guide tm. Active Directory Security. Derek Melber, Dave Kearns, and Beth Sheresh

Benefits of Using Data Loss Prevention Technology

By the Citrix Publications Department. Citrix Systems, Inc.

How To Understand The Difference Between Network Analysis And Network Monitoring

What Are Certificates?

Reducing Backups with Data Deduplication

Managing Your Virtualized Environment: Migration Tools, Backup and Disaster Recovery

Realizing the IT Management Value of Infrastructure Management

Isolating Network vs. Application Problems

identity management in Linux and UNIX environments

Likewise Security Benefits

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Beyond the Hype: Advanced Persistent Threats

The Shortcut Guide To

How the Software-Defined Data Center Is Transforming End User Computing

Pr oactively Monitoring Response Time and Complex Web Transactions Working with Partner Organizations... 2

How the Quest One Identity Solution Products Enhance Each Other

Defender Delegated Administration. User Guide

Active Directory Change Notifier Quick Start Guide

Can You Trust a Cloud-based Security Solution?

White Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September Trianz 2008 White Paper Page 1

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

How To Manage A Privileged Account Management

What Are Cloud Connected Data Protection Services About?

CA Spectrum and CA Embedded Entitlements Manager

A brief on Two-Factor Authentication

CA Performance Center

Privileged Account Access Management: Why Sudo Is No Longer Enough

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Advanced Authentication

How Traditional Physical Backup Imaging Technology Fits Into a Virtual Backup Solution

The Definitive Guide. Monitoring the Data Center, Virtual Environments, and the Cloud. Don Jones

Transcription:

The Essentials Series: Enterprise Identity and Access Management Authentication sponsored by by Richard Siddaway

Authentication...1 Issues in Authentication...1 Passwords The Weakest Link?...2 Privileged Accounts and Service Accounts...2 Heterogeneous Environments...2 Remote Users...3 Authentication Methods...3 Kerberos...3 Certificates...3 Tokens...4 Smart Cards...4 Biometrics...4 Proprietary and In-house...5 Single Sign-On...5 Summary...5 i

Copyright Statement 2008 Realtime Publishers, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers, Inc. (the Materials ) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers, Inc or its web site sponsors. In no event shall Realtime Publishers, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com. ii

Authentication In a Windows-based infrastructure, Active Directory (AD) is the basis of identity and access management. It provides the data store against which users are authenticated and holds information, in the form of group membership that is used to authorize access to network resources. However, the vast majority of organizations have a number of non-windows systems and applications that face similar identity and access management challenges. This series will examine the issues surrounding AD-based identity and access management and covers the following topics: Authentication Proving who you are Authorization Controlling what the authenticated person can access Administration Challenges of administering the actual life cycle of the identity Compliance Proving the identity and access policy is secure and working Identity and access management starts with identity. Who are you and how can you prove it? Authentication is the act of proving you are who you say you are. It is accomplished based on one of three broad techniques: Something you know. In most cases a userid and password. Something you have. An example would a hardware token used for VPN access. Something you are. The use of biometric techniques for authentication would fit in this category. The majority of organizations are using the something you know technique in which users enter a userid and password to log on to the network. Issues in Authentication In theory, authentication is very straightforward to manage. An administrator creates a userid for the user. The user creates a password according to the company policy, and the user can then authenticate. Unfortunately, there are a number of issues with the use of passwords. 1

Passwords The Weakest Link? Passwords are required to authenticate to the network but are often regarded as a necessary evil by administrators and users. There is a conflict between the need to use stronger passwords by increasing their length and complexity and the ease of use for the user population. Passwords cause a significant proportion of the Help desk calls within an organization. Increase the length and complexity of passwords, and those calls rise dramatically, which increases your cost of operations. Make the passwords too weak, and the organization s security is compromised. A password that is too complex will be difficult to remember. This can cause passwords to be written down and left where they can be found. Passwords can become predictable because users just change the last digit of the password or they base the password on a potentially well-known fact, such as their pet s name. Users freely share their userids and passwords, so you cannot be sure that the userid accessing the network is the user assigned to that userid. In heterogeneous environments, users may often have multiple passwords they need to remember in order to access applications and resources on the network. This complexity raises operational costs and causes problems for the user population. Privileged Accounts and Service Accounts Administrator and other privileged accounts, such as the Unix root account or an administrator account for an application such as Exchange or SQL Server, need more security to prevent unauthorized access. They are a prime candidate for the multiple password policies functionality in Windows Server 2008 AD but similar functionality rarely exists in non-windows platforms such as Unix/Linux. As these accounts have the ability to change password policies, periodic checks must be performed to ensure the policies are still being observed. Applications such as Exchange and SQL Server run as a service. These services need an account they can use for authentication when they start. This account is often a domain account rather than a local account. Some Windows services (for example, the cluster service) require a domain account as well. How should the passwords used by these accounts be managed? The easiest way is to set the password so that it does not expire. However, these passwords become known, and when administrators leave an organization, these known passwords can create a security hole. However, trying to change these passwords on a regular basis is problematic as administrators need to manually apply the change and ensure that the password does not expire. Heterogeneous Environments It is rare for an organization to have a single platform. Many, if not most, organizations have mixed environments with Windows, Unix, Linux, Apple, and possibly even a mainframe. Each environment, and often each box in the environment, has its own authentication mechanism, so users will have multiple passwords and userids. This increases complexity for the users and the administrators. 2

Remote Users Authenticating remote users against the corporate network raises further authentication issues: Is authentication passed through to AD? Will a separate authentication mechanism be required? Will all access be via VPN or will remote access technologies such as Outlook Anywhere or Outlook Web Access be used? How many systems and applications will need to be accessed, and do they require unique userids and passwords? Authentication Methods A number of authentication mechanisms can exist within an enterprise. Kerberos Kerberos in conjunction with LDAP provides authentication in AD. Non-Windows environments do not use Kerberos for authentication although some may be Kerberos-aware. Solutions exist that can Kerberize non-windows systems to allow them to participate in the AD Kerberos authentication trusted realm. Certificates Certificates are a form of what you have authentication. The certificate is validated against a certificate authority, and if it is valid, the authentication succeeds and authorization can proceed. The certificates are mapped to accounts in a directory such as AD. The drawback to using certificates is the need to maintain a PKI infrastructure to issue and administer the certificates. This requires trained personnel capable of fulfilling these administrative tasks. If an organization maintains its own PKI infrastructure, it is not an easy task to issue certificates to members of external organizations that you might want to authenticate to your network. The alternative is to obtain certificates from a commercial certificate authority; however, the cost and administration required may prove prohibitive. 3

Tokens Tokens, either hardware- or software-based, are another example of what you have authentication. Commonly used for VPN access they work well from the user perspective in that there is one less password to remember. Token based access has a number of issues: Administrative effort required to issue tokens Increased complexity caused by adding another authentication system into the environment Overhead of administering the token system Cost of acquisition and ongoing operations The apparent gains at the user side can be easily outweighed by these disadvantages to the organization. Smart Cards Smart cards supply authentication data from a certificate on the card. It is usually necessary to also supply a PIN. By supplying something you have (that is, the card) and something you know (that is, the PIN), you have a more secure authentication environment. However, the issuing and administration of the cards may become problematic. The cost of supplying the cards and the associated readers may become prohibitive. There are a number of questions that need to be resolved: How do your users prove their identities in order to be issued a card? How are lost cards dealt with? Is there a mechanism for providing temporary cards? What happens in the situation in which a card cannot be used? Can your smart card infrastructure support multiple platforms and applications? Smart cards offer great potential, but there are many administrative details to be resolved. Biometrics In theory, biometric-based authentication should be the ideal solution. Biometric data such as fingerprints or retina scans can be used to establish identity with a greater degree of certainty than with other methods. However, biometric-based authentication cannot be viewed as a mature technology. The required technology is not necessarily available for every machine in the enterprise. The biometric data needs to be recorded and associated with a particular individual. It also needs to be held in a secure fashion that prevents replay attacks. Biometric-based authentication techniques have not gained wide acceptance with many users who are reluctant to adopt them. 4

Proprietary and In-house Many applications that are obtained from a third party or written in-house may adopt their own authentication mechanisms. This often requires the user to enter an identity and password into the application. The credentials are checked against data stored within a database controlled by the application. This type of functionality should be discouraged. Development teams, especially in-house teams, should be encouraged to use AD for authentication. If it is not possible to use AD, because of schema change issues, for example, then consider the use of Active Directory Lightweight Services (AD LDS, formerly ADAM). The AD LDS instance can be populated with identity data from AD. In this type, the database table containing the security information can be accessed by database administrators. This could provide a security loophole for an unscrupulous administrator to exploit. Single Sign-On Single sign-on (SSO) is the ultimate goal within an authentication strategy. This enables the user to access all data and applications via a single identity and authentication event. SSO can be accomplished by performing password synchronization between matched identities in multiple stores or replaying the authentication event across other directory stores. The preferred approach to SSO is for the authentication information to be held in a single consolidated directory so that a single authentication mechanism is used across the enterprise. Summary Identity and access management is a cornerstone of security for the enterprise. If you do not know who is accessing your environment and cannot control who is working with your resources, you cannot have a secure environment. A crucial piece of this security is the ability to verify that users are who they say they are through consolidated and strong authentication techniques. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information