In-Depth
Top 10 IAM Challenges for Heterogeneous Enterprises -- Part 1 of 2
As more users need multiple identities to access the applications they need regularly, IT has its hands full maintaining security.
by Jackson Shaw
An enterprise with a complex, heterogeneous environment faces many challenges when it comes to identity and access management (IAM). Too many identities and directories; inconsistent password policies across systems; diverse, time-consuming auditing processes; too much repetitive manual work; and the ever-increasing need to stay on top of compliance regulations are among the huge challenges faced by IT in an environment of multiple operating systems and applications.
Heterogeneity occurs as a company grows over the years, both organically and through mergers and acquisitions. New operating systems are added to handle the increasing volume of business -- or are incorporated from acquisitions -- and more users need multiple identities to access the applications they need to do their jobs. Such an environment may run a variety of applications on any combination of Unix, Linux, Windows, Macintosh, or legacy systems -- each with its own purpose and access requirements -- creating a hassle for users and sorely testing IT to maintain efficiency, security, and compliance.
This first part of a two-part series examining the top 10 IAM challenges of heterogeneous enterprises will discuss:
- Multiple identities and directories
- Single sign-on
- Synchronization
- Inconsistent password policies across systems
- Traditional Unix directories (NIS) vs. compliance
We’ll take a look at what causes these challenges and how to address them, and begin discussing a strategy that can set the enterprise on the path to simplified, efficient, secure, and compliant identity and access management.
Challenge #1: Multiple Identities and Directories
In environments where numerous operating systems function independently of each other -- with separate authentication, authorization, and administration policies -- every user must have multiple identities to access needed applications. Users must remember passwords for these different identities, but the biggest challenge faces IT, which must control authentication, authorization, and administration for every identity of every enterprise user.
In addition, there are the directories. Although most organizations use Active Directory (AD) for the largest number of user identities, a Unix, Linux, or Mac system has its own directories. Unix and Linux identities and authentication are among the most difficult to manage, further complicating the environment.
It’s not advisable to migrate everything to a single system, but it is possible to achieve a single identity for each user. The level of IAM complexity within a heterogeneous environment can be reduced by 50 to 80 percent by eliminating unnecessary directories and unifying as many as possible of the rest with Active Directory. User and IT productivity and efficiency will improve immediately, and security and compliance will be enhanced as well.
Challenge #2: Single Sign-on
Single sign-on (SSO), the authentication process that allows a user to enter a name and password just once to gain access to multiple applications and systems, is a longstanding and somewhat elusive goal in the world of IT. Still, it is the best answer to the security and compliance challenges of a heterogeneous environment. Properly implemented SSO solutions reduce the number of passwords users must remember, tighten system security, and help satisfy business objectives and security policies.
Single sign-on takes three forms, as not all platforms and applications are capable of achieving true single sign-on. The most complete is ”true” SSO, in which a single credential, for example, Kerberos as used by Active Directory, provides access to multiple systems. This provides users with one secure password that controls their access to the applications and systems they need, and requires the least amount of IT effort to manage. Enterprise single sign-on (ESSO) solutions are available for platforms and applications that cannot be consolidated into a Kerberos/AD SSO scenario. Although it still requires users to have multiple identities across systems, with IT management of those identities and the SSO process, ESSO allows users to identify themselves just once, at the start of a session. [The third form of single sign-on, password synchronization, is discussed next.]
Challenge #3: Password Synchronization
Password synchronization, sometimes referred to as “same sign-on,” allows users to have the same password for all applications that cannot be managed under SSO or ESSO. Synchronization’s biggest problem is that it takes the “lowest common denominator” approach, which means authentication for all systems and applications is only as strong as the weakest -- and probably oldest -- authentication in the environment. The authentication process for the synchronized identities, therefore, can’t support the best, secure password policy.
In addition, synchronization does not address the issue of multiple identities, which is the underlying problem with heterogeneous environments. Although users have the same password for each identity, they still have to log on to each system individually, and all of those identities must be maintained and managed.
Synchronization automates some security management issues, but it doesn’t significantly reduce any of them. It’s better to make the entire framework more secure and effective by consolidating other directories into Active Directory. By reducing the total number of identities in the overall environment, you will gain more control over access and eliminate security issues.
Challenge #4: Inconsistent Password Policies Across Systems
As a result of its growth over time, a heterogeneous environment is likely to have numerous password policies across its many systems. The organization may have started out with one policy for one system and, after adding more systems with disparate expiration rules and levels of complexity, find itself 15 years later with many password policies that are inconsistent and difficult to manage.
Having different password policies on different systems and applications presents serious security issues for the organization. With different password requirements for each system or application, users must remember multiple passwords and must periodically change them to meet the security and compliance requirements of the various password policies. That means they are more likely to write down all their passwords or choose those that are easy to remember (and crack).
As with the first three challenges, the best way to deal with this issue is to leverage Active Directory to unify Unix, Linux, and Mac systems. This will extend the existing AD password policy to the other operating systems and applications in the environment, and enhance non-Windows systems with a consistent password policy across the enterprise.
Challenge #5: Traditional Unix Directories vs. Compliance
The Network Information System (NIS) is one of the biggest compliance challenges for a heterogeneous organization with a Unix system. It is an old technology designed to help organize multiple Unix systems into a common identity and access management paradigm. Because it sends passwords over the wire in clear text, however, it presents numerous control risks and never will pass a compliance audit.
In an organization where identity and access management strategy is centered on Active Directory, migrating NIS authentication to Active Directory is the most effective way to address the challenges posed by NIS.
Summary
By now, it’s clear that the common theme for addressing the challenges of identity and access management is to unify disparate systems and applications under Active Directory. That’s because the complexity and inconsistency of the modern heterogeneous enterprise really is at the root of each challenge.
Whether you want to address all 10 challenges or just one or two, you will create a more efficient, controlled, and compliant environment by adopting a “get to one” approach, eliminating many of the disparate identities, roles, policies, and processes, and consolidating as many more as possible under Active Directory. With a single identity and password for each user, efficiency will improve, security will be enhanced, compliance will be achieved, and the challenges will be reduced.
In part two of this series, we will examine the remaining five of the top 10 IAM challenges -- auditing, entitlement management, excessive manual/repetitive work, compliance, and original purchase vs. original expectations -- and further review the “get to one” strategy.
Jackson Shaw is senior director of product management for identity and access management at Quest Software. Jackson joined Quest as part of its acquisition of Vintela, and oversees product direction, strategy and go-to-market activities for the Quest One Identity Solution. He has been involved in directory, meta-directory, and security initiatives for 20 years. Previously, Jackson was a key member of the identity and access management marketing team for the Windows server marketing group at Microsoft where he was responsible for product planning and marketing for Microsoft’s identity and access management products, including Active Directory and Microsoft Identity Integration Server (MIIS) 2003.