LDAP, Single Sign On (SSO), and Enterprise Security
Having been an IT professional for over 15 years and assisting organizations wrestling with various issues regarding security, I have a number of interesting insights that might be of interest to the general community. Additionally, I have recently implemented a number of OpenLDAP solutions with the aim of providing SSO (Single Sign On) and have had a number of interesting conversations that might be of interest. Additionally, while I have found quite a few good resources around the internet that discuss various features do feature comparisons of products or have detailed configuration information, there seem to be few resources readily available to assist one with navigating the significant number of questions that must be recognized and answers determined prior to implementation of any specific product.
To that end, this document attempts to help frame the set of questions that should be understood and addressed so that one can ensure that the implementation of the plan becomes more straightforward and an understanding of what needs to be configured or pulled together becomes easier and clearer. This document does not attempt to provide the "right" answer to the questions, but rather seeks to present at least a set of questions that should be addressed and then seeks to help guide the reader through the various points and counter-points in direct the user in how best to answer the questions within the context of their organization, needs, requirements, and constraints.
Enterprise security within the context of this document is related to the overall security of the IT asset, which is dependant on specific decisions and implementation, but also hangs within a larger frame with regard to the overall impact on the organization and it's assets. As stated earlier, there are quite a few readily available assets around the internet that deal with any specific component of enterprise security, but the author has found few documents that frame these components within the overall context of the technology, people, and systems that is the enterprise.
It may seem pedantic to include a section of the definition of security; however, it does seem almost as important to raise the discussion (and thus definition) of security from that of specific features and functions to a more holistic definition, at least for the discussion of "Enterprise Security" similar to how the author is attempting to raise the level of awareness of the impact of technology decisions on the overall security of the enterprise. It is also the authors understanding that once decision makers have been informed and key decisions have been made that a return to the detailed discussion and definition of security is appropriate; however, until we understand the bigger picture, a discussion of the minutia, while important in its place and time, is not productive.
In general, what is meant by "Security"? What does it mean to say that one thing is more secure than another? Let's take these first two questions and begin to break them down so that we at least have a common framework for hanging our discussion. I am not necessarily going to try to say that these are the only answers to these questions, as I am sure we will be having lively discussions on this topic for years to come, but rather, the author would invite the reader to acknowledge that these are in some way reasonable answers to these questions in order to allow for the further analysis upon which this article is based.
That is, while there is reasonable debate as to the answers to these questions, the author is asking that at least for the sake of the remainder of this discussion that we take the answer to these questions to be as related in this section. If this cannot be done, then there is minimal expectation of ever being able to answer the questions that follow from these two questions that form the basis for the a significant portion of expenditure in the way of capital expenditures and human resources for most organizations.
According to Merriam-Webster's online dictionary, a definition of security could be "measures taken to guard against espionage or sabotage, crime, attack, or escape". This seems to be a reasonable definition upon which to base our discussion. In general, with regard to IT security, we are looking to prevent others from obtaining sensitive information that may give them a competitive advantage or to prevent others from manipulating information that may result in incorrect action on our part or create some liability for the organization. While there may be other items within the purview of IT security, it is our experience that the bulk of the time and energy spent within IT focus on these two goals, specifically, the protection of sensitive information from unauthorized persons and the protection of the integrity of our information or technology assets.
Given this definition of security, the answer to the second question comes down to "more secure than another" or an evaluation of qualities (at least at this level of discussion) that provide generally prolong the assumed period of assurance before compromise of sensitive information or that prolong the time taken to violate the integrity of our information or assets.
Whoa! What do you mean "prolong"! I want a guarantee! I can assure you that there are no such things as guarantees with regard to security, as I hope to demonstrate or if nothing else, as has been demonstrated over and over again within the Press and within the industry. There is no such thing as "absolutely secure". For anything to be absolutely secure, it would have to either be useless or non-existent (potentially the same thing, I know). Anything can be compromised, eventually... It is the eventually that we are working on and that matters most. Given physical access and enough time, any, and I mean any security can be compromised. Our job overseers or caretakers of security is mainly to stay just (or hopefully at least) one step ahead of the ne'er-do-wells.
Given this definition and these narrow goals, let's briefly investigate the aim of those intending to circumvent our security.
Impact of Insufficient Security
In today's IT environment, a general lack of security is almost non-existent. Additionally, it is assumed that the reader is generally aware of or concerned about the impact of technology decisions on the overall security of the organization. In our effort to further understand and refine our discussion of security, let's take a moment to discuss the motivation and the process used by those we are seeking to prevent. I will not present and exhaustive discussion on this topic, but only a few examples to shed more light on our definition of security and to also highlight a number of items that will become significant to our discussion later in this document.
In general, I will focus on the motivation and desired outcomes associated with corporate espionage, which may seem rather narrow, but in general demonstrates the greatest potential damage that could be sustained by an organization. While the general threat level for most organizations falls below this threshold, this set of scenarios should demonstrate what could be, but that hopefully, you have taken measures to ensure never happen. We will further assume that most security incidents that you will encounter will be the result of negligence or ignorance and thus their potential impact will generally not be as significant as the motivated, experienced, persistent, and professional corporate spy.
Single Sign On
While SSO has been a goal of many organizations and SSO capabilities have been requested and provided by a number of products and vendors, there seems to be little information regarding the overall impact of SSO on the security of the organization. While the remainder of this document will focus on SSO as pertains to LDAP; a brief detour and discussion of SSO with regard to its overall impact on the security of IT assets should be discussed.
by Lance Hendrix1.0