Educause Security Discussion mailing list archives
Re: Question on LDAP
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 5 Oct 2005 10:57:02 -0400
Krassos, Michael wrote:
Thank you all for your input so far. Does anyone else have any input before I consider this topic closed?
The issues regarding politics and the difficulties surrounding attribute definitions and schema mentioned by Greg are similar, if not identical, to the same issues in identity management systems. We're going down the identity management path for use with our portal efforts and plan to populate a directory with attributes for fine grained authorization decisions. We're only in the initial planning stages. Presently we already make some authorization decisions based on coarse role attributes (e.g. student, faculty, staff) but want to make much more granular information available. I'll add a couple more points to consider which are probably self-evident. If all systems need the data to make decisions, all systems will need access to it. And the more information stored, the more it starts to resemble a central business database. Since everything has to be able to access it, it has to be hardened as much as possible and heavily monitored. This is particularly important if both trusted and untrusted systems are allowed to access it or if its accessible from the Internet. If protected only by reusable passwords (e.g. bind credentials or stored keys), which is likely, individual account compromises must be considered likely and associated monitoring and internal access controls set up accordingly. Also, the directory becomes a central, automated workflow hub. A failure or breech can have wide ranging, cascading effects. Another vote for heavy monitoring. While identity management systems are being sold as a security solution, I personally believe they're more of a business enabler and cost control measure than an improvement in security. At least for the near future. In this, they're similar to SSO. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Question on LDAP Krassos, Michael (Oct 05)
- <Possible follow-ups>
- Re: Question on LDAP Gary Flynn (Oct 05)
- Re: Question on LDAP Drews, Jane E (Oct 05)
- Re: Question on LDAP Tom Barton (Oct 07)