Why LDAP - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

Why LDAP

Description:

Understand the critical role that trust plays in achieving modern business models ... you want it and not to someone else's preconceived idea of what they should be ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 60
Provided by: guyhunt
Category:
Tags: ldap

less

Transcript and Presenter's Notes

Title: Why LDAP


1
Why LDAP Security Are Critical to Your Success
  • UBC Certificate in eBusiness Presentation
  • Wednesday, January 17, 2001
  • Guy Huntington, President,HVL

2
Presentation Goals
  • Understand the critical role that trust plays in
    achieving modern business models
  • Relate this to the challenge of creating,
    managing and authenticating the identity
  • Probe into accepting authorizations between
    system, partners and other enterprises
  • Take a look at the role of LDAP vs. Databases
  • See what kinds of tools are out there to do the
    job

3
It All Starts With Trust
  • Trust is the heart of successful ongoing
    transactions, relationships and business
    processes
  • In the old days it was primarily based on
    someone you had physical proximity to or, taken
    on faith from someone you knew
  • But what about today?

4
Trust and E-business
  • Billions of interactions occurring around the
    globe, increasingly with software based systems,
    where we may never ever see the face behind the
    transaction or business process
  • A large enterprise may have tens or hundred of
    millions of customers (e.g. WalMart, Coke or
    Pepsi)
  • They may have hundreds of thousands of employees
    (e.g. United Airlines, McDonalds)
  • They may have thousands, tens of thousands or
    more business partners employees interacting
    with the enterprise (e.g. GM)

5
Interactions Are Fast, Varied and Sensitive
  • Interactions often require split-second
    decision-making (several thousand identity
    lookups and authentications per second)
  • Access can be to many traditional back-office
    systems (shipping, account info, manufacturing,
    sales/marketing, etc.)
  • Customers and business partners are drilling to
    very sensitive information (e.g. data warehouses
    containing personal account info.)

6
Identity Management
  • Usually taken for granted
  • Identity creation is usually a mixed bag of
  • Different people doing the creation
  • Different ways of doing the creation
  • Different systems holding the creation

7
Take Fred Johnson
  • Fred Johnson Facilities
  • Fred S. Johnson - Parking
  • Fjohnson E-mail
  • F. Johnson HR Manager - Payroll
  • Fred Johnson Human Resources Manager - HRIS
  • Fred Johnston (oopstypo!) - Security
  • F. Johnsonn (another typo) - Networks

8
Identity Integrity
  • Causes a lot of grief
  • Direct cost to the enterprise
  • Lost productivity
  • Hard to find up to date org charts and basic
    contact info
  • Can cost many tens of millions of dollars annually

9
Managing the Identity
  • Who creates it?
  • How do you handle the changes to it?
  • The numbers can be staggering
  • 15-30 identity changes
  • 20-30 employee churn in some sectors
  • Thousands to millions of users
  • You need to somehow both centralize identity
    reference and at the same time delegate admin to
    appropriate levels

10
Security Lapses
  • Time delays for system updates take days, weeks
    and even months
  • Manual processes for updating mean manual errors
  • Wrong people get taken on and off systems
  • Identities entered differently dont match in
    systems and access is denied to applications etc

11
Authentication
  • Now we have an identity, how do we authenticate
    it to continue the process of trust?
  • How do I know youre you?

12
Challenges
  • What if I dont know you?
  • What if youve been passed from one or two
    portals to my e-business website?
  • How do you achieve single sign on to reduce the
    number of passwords, tokens, smartcards and
    number of times authentication is required?
  • The answers affect ease of use, trust and
    manageability of the business models youre
    building!

13
Authentication Basics
  • What you know
  • What you have
  • What you are

14
Authentication Methods
  • Basic authentication
  • Certificate authentication
  • Form authentication
  • Tokens/smart cards authentication
  • Biometric authentication

15
Basic Authentication
  • Uses something you know
  • Username and password are the most common
  • Most common form of authentication
  • Can be a lot of problems/challenges in using it

16
Basic Challenges
  • Password cracking programs can guess passwords at
    over 1.5 million guesses per second to minute
  • Passwords are difficult to remember and should be
    changed frequently

17
Basic Challenges
  • Password lengths are often insecure
  • Password storage may be not secure
  • Passwords may travel in the clear

18
Basic Challenges
  • Browsers cache passwords
  • Lost password management is very expensive

19
Certificate Authentication
  • Uses public key infrastructure
  • Involves use of trusted third parties called
    certificate authorities
  • Certificates use a couple of different types of
    encryption to assure identity
  • Parties exchange certificates and verify each
    other

20
Certificate Challenges
  • Managing certificate users can be very demanding,
    costly and time consuming
  • Level of trust may not be appropriate for all
    your needs
  • Encryption use may require accelerator cards on
    the authenticating servers
  • Browsers cache certificate info

21
Form Authentication
  • Uses an html form usually embedded in the
    internet, intranet or extranet interface
  • Can use username and password or some other
    challenge and response
  • Advantage to this method is the browser doesnt
    cache the challenge and response

22
Tokens
  • Youve probably seen or used some tokens many
    times
  • This can include drivers license and social
    security card
  • It can also include key fobs with digitally
    changing numbers

23
Token Challenges
  • Can be forged or hacked
  • People lose them
  • Management of the whole process can be daunting
  • People get sick of having to carry around so many
    tokens (just check your wallet for the number of
    loyalty cards you carry)

24
Smart Cards
  • Use chip technology
  • Includes debit cards to financial and medical
    information cards
  • Widely used in Europe
  • Gaining momentum in N.America
  • Lots and lots of politics involved in setting
    global standards
  • Often use multi-factor authentication

25
Smart Card Challenges
  • Can be hacked (although it can be harder to do)
  • A lot of behind the scenes fighting over
    standards for potentially billions and trillions
    of dollars in transactions
  • Need plant and equipment to deploy

26
Biometric Authentication
  • James Bond comes of age
  • Includes
  • Finger recognition
  • Fingerprint scans
  • Hand geometry
  • Face geometry
  • Signature recognition
  • Iris and retina recognition
  • Voice recognition

27
Biometric Authentication
  • Price points are dropping quickly below 150,
    100 and even much less
  • Becoming embedded in chips placed in cell phones,
    palm pilots and soon watches
  • Often used with smart cards and/or other
    authentication methods such as passwords

28
Biometric Challenges
  • Can have trouble with people having hangovers,
    colds, etc
  • Still a little pricey for widespread adoption
  • Device required to conduct the enrollment and
    reading

29
So What Do You Use?
  • Probably combinations of all of these!
  • You need to think in terms of layers of trust
  • Lets move on to authorization and then come back
    to view the challenges in providing single sign
    on, integrating different authentication methods
    and accepting other parties authentications/author
    izations

30
Authorization
  • This is the second step of the triple As
    (authentication, authorization and auditing)
  • How do you authorize?
  • How do you integrate authorization mechanisms
    across an enterprise and between enterprises?
  • It isnt always easy

31
Daily Sales Report
  • Sales rep can view only their own reports
  • Managers can view all direct reports reports
    and their summaries but not other areas
  • Regional managers can view all reports below
    them, rolled up summaries but not outside their
    area
  • VP, CEO and CFO can view all reports and summaries

32
Daily Sales Report
  • Special exemptions for some identities
  • Individuals, roles, groups, geography
  • Special exemptions for some reports
  • Specific reports, groups of reports
  • Special exemptions based on time
  • Hourly, daily, weekly, monthly, seasonally, yearly

33
Granularity
  • Your infrastructure needs to provide flexibility
    for different combinations of granularity at
    both the identity and resource/application level
  • Some of this logic is already in your ERPs,
    HRMSs, data warehouses, CRMs and the rest of
    your systems
  • How do you knit this together both internally and
    externally?

34
The Devil Is in the Details
  • Potential show stopper stuff for B2Bs and large
    internal reengineering
  • Youre crossing multiple systems, with little or
    no authentication and authorization standards
  • The information and rules are stored in specific
    formats, logic and databases each with their own
    generally inflexible standards
  • Youre also crossing over a lot of political
    power centers within the enterprise

35
Databases
  • Many of the systems requiring authentication/autho
    rization integration use databases/data
    warehouses
  • Theres challenges with using database only
    solutions

36
Advantages of Databases
  • Maintain state of the transaction
  • Excellent for fast writes
  • WalMart updates the DSS at approx 8.4 million
    updates per minute
  • Great for routine and complex querying
  • WalMart queries DSS at over 100,000 complex
    queries a week
  • Flexible

37
Disadvantages of Databases
  • Lack standards when it comes to how information
    is stored
  • Not optimized for fast reads
  • Generally relational not hierarchical

38
Infrastructure Glue
  • Need to bind together/coordinate the identity
    management, authentication and authorization
    components of all the systems
  • Has to work exceedingly fast
  • Databases are not the best choice in either cost
    or performance for this application
  • Databases may hold the authoritative source of
    the information e.g. ERP, HRMS
  • Thats why directories come into play

39
Directories
  • Optimized for fast reads not writes
  • Excellent for stateless/semi-stateless
    environments
  • Scale relatively easily for replication and fail
    over
  • Operate to standards

40
LDAP
  • Lightweight Directory Application Protocol
  • IETF standard
  • Built with the internet in mind
  • Offspring of x.500
  • Provides enough standards to be attractive as a
    coordinating vehicle for identity management,
    authentication, authorization and auditing

41
Putting It All Together
  • LDAP directory acts as the coordinating hub for
    your authentication, identity management,
    authorization and auditing systems
  • Can be Master, Child or both for authoritative
    source of information
  • Store digital certificates, username,
    password(s), challenge phrases, biometric point
    info., etc.
  • Also store summary info from the CRM or portal
    info on your business partners

42
You Want
  • To provide a central integration point
  • Something that scales
  • Enhance not reduce existing security
  • To provide end user ease of use
  • To quickly integrate systems required by the
    existing and emerging business models

43
Single Sign On (SSO)
  • Need some tools to work with the directory and
    your systems
  • Can be quite complex without the tools

44
SSO Challenges
  • Coordinate the identity management
  • Delegate the identity management where warranted
  • Coordinate authentication
  • Security compatible with things like TLS/SSL,
    IPSec, digital certificates, etc.
  • Pre and Post authorization features to hand off
    to ERPs, NOSs, CRMs, data warehouses, portals
    and all your other many systems

45
SSO Challenges
  • Maintain state to identify session beginning and
    endings
  • Timing out the user
  • Store authentication and authorization levels to
    which the identity is approved to prevent
    reauthentication unless desired
  • Involves the use of encrypted cookies and
    application servers
  • Work within a domain and across multiple domains

46
SSO Challenges
  • How are you going to handle managing the
    authorization rules for who gets to see what
    when?
  • You need tools allowing you to delegate this
    where required
  • e.g. extranet, portal, departmental level
  • How do you integrate your auditing systems with
    the ERPs, NOSs, firewalls, CRMs, facilities
    and all your other systems?

47
Infrastructure Tools
  • Without tools, this kind of work is exceedingly
    complicated, fraught with peril, expensive and
    time consuming
  • Tools must allow you to scale very quickly
  • Easy to use
  • Flexible to allow to you tailor your
    authentication, identity management,
    authorization and auditing just the way you want
    it and not to someone elses preconceived idea of
    what they should be

48
Thats Where Oblix and Others Comes Into Play
  • Oblix
  • Netegrity
  • IBM
  • Entrust
  • others

49
Features to Look For
  • Deploys relatively quickly
  • Delegate identity and authorization rule
    management to whatever level if granularity makes
    sense
  • Solid identity management
  • Gives you great flexibility in post
    authentication, authorization and post
    authorization actions

50
Features to Look For
  • Flexible in granularity for determining
    protection of resources/applications
  • Flexible in determining auditing requirements to
    different levels of resources/applications
  • Scales easily without performance loss
  • Works with most NOSs, directories, ERPs,
    portals, etc.

51
Making and Saving Money!
  • Your business models will likely be taking
    advantage of globalization, new economies of
    scale, new distribution channels, one to one and
    one to many marketing, etc.
  • Take a second and think about your models

52
Making and Saving Money!
  • Theyre all heavily dependent on building and
    passing trust through system integration
  • This infrastructure technology Ive talked about
    is imperative to achieving your business models
  • Without it, youre in danger of wafting onto
    dangerous shoals and lacking the competitive edge
    to deliver your business models anywhere in the
    world, anytime, anywhere with a high degree of
    trust and low operating costs

53
Know Thy Identity!
  • Customer
  • Business Partner
  • Employee

54
Thanks for Having Me!
  • This ends the formal part of the presentation
  • I hope Ive been able to open your eyes as to why
    you really need to know and use this
    infrastructure technology
  • Appended to this presentation are some URLs for
    the presentation itself and other useful
    resources you may want to pursue
  • Contact me at 604-921-6797 or guy_at_hvl.net

55
URLs - Presentation
  • This presentation is available for html and
    download viewing at http//www.hvl.net/ebusiness.h
    tm
  • Also other presentations there on SSO, Password
    Management, etc.

56
URLs - Authentication
  • Authentication Resources
  • Password portal - http//www.passwordportal.net/
  • Certificates Security Magazine Jan. 2001
    Implementing PKI - http//www.scmagazine.com/ind
    ex2.html
  • Smart Cards Card Technology.com -
    http//cardtech.faulknergray.com/
  • Biometrics Biometric Consortium -
    http//www.biometrics.org/

57
URLs Security/Encryption
  • Security and Encryption
  • A good read Secrets and Lies Digital
    Security in a Networked World Bruce Schneier
    (Amazon.com link - http//www.amazon.com/exec/obid
    os/ASIN/0471253111/qid979693943/sr2-1/refsc_b_1
    /107-1804127-2028529)
  • TLS IETF Working Group - http//www.ietf.cnri.re
    ston.va.us/html.charters/tls-charter.html

58
URLs Securing e-Business Vendors
  • Infrastructure Vendors
  • Oblix www.oblix.com
  • Netegrity - http//www.netegrity.com/
  • IBM/Tivoli - http//www.tivoli.com/
  • Entrust - http//www.entrust.com/

59
URLs - XML/Authentication Standards
  • A good read Nand Mulchandanis paper Industry
    Must Embrace Combination of Open Web Access
    Standards for True Interoperability
    -http//www.oblix.com/pointofentry/xml/index.html
Write a Comment
User Comments (0)
About PowerShow.com