Re: Question on LDAP

[Gary Flynn <flynngn () JMU EDU>]

Krassos, Michael wrote:

> Thank you all for your input so far.  Does anyone else have any input
> before I consider this topic closed?

The issues regarding politics and the difficulties
surrounding attribute definitions and schema mentioned
by Greg are similar, if not identical, to the same
issues in identity management systems.

We're going down the identity management path for use
with our portal efforts and plan to populate
a directory with attributes for fine grained authorization
decisions. We're only in the initial planning stages.
Presently we already make some authorization decisions
based on coarse role attributes (e.g. student, faculty,
staff) but want to make much more granular information
available.

I'll add a couple more points to consider which are
probably self-evident.

If all systems need the data to make decisions, all
systems will need access to it. And the more information
stored, the more it starts to resemble a central business
database. Since everything has to be able to access it,
it has to be hardened as much as possible and heavily
monitored. This is particularly important if both trusted
and untrusted systems are allowed to access it or if its
accessible from the Internet. If protected only by
reusable passwords (e.g. bind credentials or stored
keys), which is likely, individual account compromises
must be considered likely and associated monitoring and
internal access controls set up accordingly.

Also, the directory becomes a central, automated workflow
hub. A failure or breech can have wide ranging, cascading
effects. Another vote for heavy monitoring.

While identity management systems are being sold as a
security solution, I personally believe they're more
of a business enabler and cost control measure than
an improvement in security. At least for the near future.
In this, they're similar to SSO.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security