Centrify Resource Center

Home  |  Centrify Resource Center
Tom Kemp's Centrify Blog

Why Leverage Active Directory for Linux Identity Management? Part 1

Friday, January 11, 2008

I was recently interviewed by Art Wittman, Editor at Information Week, and one of the questions he asked me was regarding the technical soundness of leveraging Active Directory as the basis for Linux identity management (see embedded video clip). That question motivated me to articulate in this two-part blog entry the various technical and business reasons why customers should deploy our DirectControl solution on non-Microsoft platforms to enable Active Directory to become the central identity and access management "hub" for cross-platform systems (e.g. Windows, UNIX, Linux and Mac) and applications (e.g. IIS, Apache, JBoss, WebLogic, DB2, SAP, etc.). But before I do, let me first articulate why reducing identity stores and moving toward a single directory is highly beneficiary.

Why Reduce Identity Stores to Begin With?

A "before" and "after" shot often times best tells the story. Here is a typical "before" shot:

Figure 3.  The fragmented enterprise before Centrify. (Click to see an enlarged version.)

And an "after" shot:

Figure 4.  The integrated enterprise after Centrify. (Click to see an enlarged version.)

Besides making a nicer picture, what are the benefits of moving toward a single identity store?

  • End-users become more productive. According to Gartner Group, the average large organization has over 20 sources of identities, resulting in the average internal user having to remember more than five user names and passwords. This creates a scenario where end-users have too many credentials to remember, and incredibly the average user spends over 16 minutes a day logging on. Multiple identity stores also lead to delays in provisioning new employees and fulfilling requests for changes to existing accounts.
  • IT administration costs are reduced. Given that Gartner Group estimates that 45% of all helpdesk calls are requests for password resets, an IT organization's costs go up as the number of different identity stores increase. In addition, having to individually maintain multiple identity stores results in IT administrative processes that are time-consuming, redundant and error-prone as duplicate user ID data is keyed into multiple systems. Furthermore, this complexity makes it difficult, and thus expensive, to extend infrastructure to new business processes - so much so that, in extreme cases, it actually inhibits the company's growth.
  • Security risks decrease. The greater the number of identity stores, the greater the likelihood of dormant and orphan accounts being misused to access sensitive information. In addition, numerous passwords (and password change policies) force users to store passwords insecurely. Finally, the greater the number of identity and policy stores, the greater the difficulty of implementing consistent security policies. Without a cross-platform access control solution, it is difficult to enforce a consistent set of access rights for every platform.
  • Your ability to comply with regulatory requirements (such as PCI DSS, Sarbanes-Oxley, HIPAA and GLBA) increases. An increasing number of industry and governmental regulations require organizations to maintain strict control over business processes and, in particular, access to sensitive personal and financial information. With control and tracking of key business data and processes distributed among multiple identity systems, companies are resorting to awkward, time-consuming manual methods to consolidate the information needed to audit and report on their compliance. The inability to meet these regulatory requirements in a reliable and timely manner leaves many businesses critically exposed.

Notice I did not say "implement a single enterprise directory/identity store for your entire infrastructure." I said "move in that direction," meaning you will get significant value in making that journey. Given that the typical large enterprise often times has dozens of identity stores, it is probably not practical or technically possible to magically move to a potential nirvana of a single identity store (e.g. it may not be possible to replace the mainframe or the Lotus Notes identity store with the directory being used for Windows and UNIX-based systems and applications). But I am saying that real value can be had by reducing, say, 50 identity stores (AKA "identity silos") down to a half dozen or so, and that is what Centrify can help you easily do.

In the rarest of occasions I do even get push back on this, usually driven by concerns about the concept of "putting all my eggs in one basket" and some perceived risks of doing so. But I typically respond by asking, "Does it make sense for your organization to have 50 separate email systems or 50 different ERP systems?" If you think of a directory as a major component of your underlying infrastructure, odds are you have standardized for a given component (i.e. "basket") on either one or a small number of solutions (e.g. you just have one email system, Microsoft Exchange, or one ERP system, SAP) vs. 50 different solutions. So why not look at an identity store in the same light. And, as I will discuss in Part 2 of this blog post, I will discuss why Active Directory is a better and stronger and more secure "basket" to use then the plethora of baskets you already have. But again, for large enterprises I am not advocating a single "basket," as it may not even be possible to have that; what I am saying is that you can reduce the number of baskets so you can be secure, better meet regulations, etc.

Surveys of end-users validate this philosophy. For example, a recent survey of over 200 IT organizations by the noted analyst firm Enterprise Strategy Group asked "what are the most difficult tasks for your organization as it relates to Identity and Access Management ("IAM")" and here were the results:

Identity and Access Management challenges faced by enterprises.

As the report notes:

"Accomplishing these [IAM] tasks can be extremely difficult as IAM activities are done in IT silos all over the enterprise. This creates an IT operations challenge as administrators are forced into a pattern of redundant operations and administration. … When asked to identity the most difficult IAM tasks, security professionals pointed to managing identity information spread throughout the enterprise, synchronizing individual technologies and provisioning/de-provisioning users."

This is dead on with the challenges that I discussed above. Hopefully I have helped convinced you (if you even needed convincing ) that reducing identity stores and moving toward a single enterprise directory is a good thing, so in my next blog entry I will discuss why Active Directory is the best choice to be that identity store.

Categories: Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: No Surprise Here: Compliance Still Driving Identity Management and Overall Security Spending
> Next Article: Why Leverage Active Directory for Linux Identity Management? Part 2


View a 5-Minute Demo
3-Part Webinar Series What Gartner Says About Using Active Directory for Centralized Authentication, Auditing and SSO
White Paper Centralized Identity and Access Management with Active Directory View
Now
Video Chalktalk Library Detailed overviews of Centrify solutions and technology

DirectControl offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory's group policy architecture, it functions more seamlessly for managing access ... particularly for systems administrators who are unfamiliar with Mac OS X.

Ryan Faas
ComputerWorld
March 13, 2007