Identity interoperability across Windows and Linux is one area of focus highlighted by Microsoft and Novell in their November 2006 partnership announcements.
Even though there is little detail about what Microsoft and Novell will provide, this aspect of the announcement has generated interest. We will discuss the reasons for this interest, explain Microsoft and Novell’s approach as currently understood, discuss the limits of Active Directory and propose Red Hat’s broader vision for the interoperability of security information.
The importance of identity interoperability
Within most organizations, there exists a variety of identity stores. AD for Windows and Exchange, Red Hat Directory server as a backend for an Internet facing portal, Peoplesoft for HR, flatfiles, etc.
Identity information is vital security information needed to give appropriate access and to audit activity, but the heterogeneity of identity stores makes it difficult for IT to secure and efficiently manage its environment while complying with government regulations. This also makes it difficult for end users to log on to applications efficiently.
A well known and much discussed problem, there exist a variety of solutions and approaches to address this security issue. Solutions include federation, meta-directories, virtual directories, provisioning solutions, single-sign-on solutions, centralizing all identity into one store and more.
Among organizations there is a related problem that gathers a similar level of interest — each organization controls its employees or customers’ data in its own datastore, making it difficult to provide a user with a seamless and secure experience moving online amongst different organizations.
Microsoft and Novell’s approach (as currently understood)
Microsoft and Novell have proposed that their partnership will bring organizations benefits in the area of identity interoperability across Windows and Linux. So far this has meant two things.
One approach is to enable an SLE machine to more seamlessly plug into an Active Directory managed network via Samba and other tools. This fits into the “centralize identity in one store (AD)” approach to identity interoperability.
Many organizations want this and for good reason — they can efficiently and centrally manage identity across their environment. Red Hat has also invested in this approach to identity interoperability and has put significant investment in Samba in the upcoming RHEL 5.1.
The second approach, and the one highlighted by the companies in their announcements, is to enable the federation of identity between Active Directory and eDirectory. This is a useful approach for cross-organization identity interoperability, but is not a long-term solution for identity interoperability within an organization. It might be useful short-term to allow an eDirectory deployment within a department or a newly acquired unit to federate to Active Directory, but in the long run organizations will require the identity information itself to be kept in sync and not simply federated.
It is our belief that to Microsoft, “identity interoperability” within an organization means centralizing all identity in Active Directory. It’s unlikely that Microsoft’s partnership with Novell represents a change in strategy here.
The limitations of Active Directory
Why not centralize management for your Unix and Windows world in Active Directory?
Certainly there are benefits to doing so. Active Directory is now a proven, scalable directory; it’s fairly easy to use in managing a Windows domain and a large percentage of organizations are now using Active Directory already for Windows.
Of course, there are the generic reasons why an organization may not want to put all of its eggs into Microsoft’s basket. These include price (the price of the CALs), vendor lock-in, the risks inherent with a lack of diversity in the infrastructure and the drawbacks of closed source solutions.
But in the case of Active Directory, there are more particular concerns:
- First is identity. It’s difficult to interoperate with Active Directory and sometimes this is because Microsoft intends interoperability to be difficult. The difficulties that Samba has encountered make a good case study. Samba is a large dedicated effort that is taking years to enable AD interoperability. Examples of difficulties include proprietary extensions to common standards like Kerberos, required license agreements and the lack of documentation of protocols. Clearly Samba-style interoperability is a boon to customers, but its progress has been delayed. Now Microsoft and Novell may work together here… but this only proves the point. Interoperability with AD will come on Microsoft’s schedule.
- Second is policy. Active Directory is a less robust solution for centralized policy management than it is for identity. Microsoft Group Policy is a powerful way to manage configuration and policy on Windows boxes, but the management interface is quite difficult to use, group policy is hard to extend and if extended it can’t be managed. Some policy is stored in the directory with others in a file on the domain controller which is replicated separately. Making Active Directory the center of identity management will not leave an organization in the best place for the centralized management of policy in a heterogeneous environment.
- Third is audit. Successful audit requires accurate identity. Audit data becomes much more useful when identity can be tied to the policy as specified at the time the audit occurred. Microsoft MOM and Active Directory are not set up to enable this.
Red Hat’s Open Source Architecture applied to Security — interoperable security information
Identity, policy/configuration and audit information (IPA information) are at the core of security. How efficiently and effectively we use this information determines how well we secure our organizations.
But vital identity, policy and audit information is currently stored within multiple, independent applications where it is difficult to analyze and correlate.
As a result, organizations have difficulty:
- forming a complete picture of their security stance
- protecting their organization sufficiently
- efficiently enabling their operations while complying with government regulations and industry best practice
Because of its vital importance, Red Hat believes identity, policy and audit information should be Open, Interoperable and Manageable.
Open means the information is not held as a proprietary value add, but is available to other vendors and applications where possible through standards but always through well documented and openly available protocols.
Interoperable means that systems containing or managing identity, policy and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
Manageable means that systems managing this vital security information should be easy to manage centrally or locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
We have no intention of trying to build a massive new solution from scratch that attempts to realize this broad vision. Rather, it is Red Hat’s intention to work with the community, our customers, our competitors and other vendors to take concrete and useful steps wherever possible using existing solutions and projects.
We can work together to add value right away by making the management of identity, policy and audit easier to do locally and centrally for Linux. If we do this well, the community, organizations, other vendors and Red Hat itself will use and extend our solutions and in this way the broader vision may one day be realized.
Even though there is little detail about what Microsoft and Novell will provide, this aspect of the announcement has generated interest. We will discuss the reasons for this interest, explain Microsoft and Novell’s approach as currently understood, discuss the limits of Active Directory and propose Red Hat’s broader vision for the interoperability of security information.
The importance of identity interoperability
Within most organizations, there exists a variety of identity stores. AD for Windows and Exchange, Red Hat Directory server as a backend for an Internet facing portal, Peoplesoft for HR, flatfiles, etc.
Identity information is vital security information needed to give appropriate access and to audit activity, but the heterogeneity of identity stores makes it difficult for IT to secure and efficiently manage its environment while complying with government regulations. This also makes it difficult for end users to log on to applications efficiently.
A well known and much discussed problem, there exist a variety of solutions and approaches to address this security issue. Solutions include federation, meta-directories, virtual directories, provisioning solutions, single-sign-on solutions, centralizing all identity into one store and more.
Among organizations there is a related problem that gathers a similar level of interest — each organization controls its employees or customers’ data in its own datastore, making it difficult to provide a user with a seamless and secure experience moving online amongst different organizations.
Microsoft and Novell’s approach (as currently understood)
Microsoft and Novell have proposed that their partnership will bring organizations benefits in the area of identity interoperability across Windows and Linux. So far this has meant two things.
One approach is to enable an SLE machine to more seamlessly plug into an Active Directory managed network via Samba and other tools. This fits into the “centralize identity in one store (AD)” approach to identity interoperability.
Many organizations want this and for good reason — they can efficiently and centrally manage identity across their environment. Red Hat has also invested in this approach to identity interoperability and has put significant investment in Samba in the upcoming RHEL 5.1.
The second approach, and the one highlighted by the companies in their announcements, is to enable the federation of identity between Active Directory and eDirectory. This is a useful approach for cross-organization identity interoperability, but is not a long-term solution for identity interoperability within an organization. It might be useful short-term to allow an eDirectory deployment within a department or a newly acquired unit to federate to Active Directory, but in the long run organizations will require the identity information itself to be kept in sync and not simply federated.
It is our belief that to Microsoft, “identity interoperability” within an organization means centralizing all identity in Active Directory. It’s unlikely that Microsoft’s partnership with Novell represents a change in strategy here.
The limitations of Active Directory
Why not centralize management for your Unix and Windows world in Active Directory?
Certainly there are benefits to doing so. Active Directory is now a proven, scalable directory; it’s fairly easy to use in managing a Windows domain and a large percentage of organizations are now using Active Directory already for Windows.
Of course, there are the generic reasons why an organization may not want to put all of its eggs into Microsoft’s basket. These include price (the price of the CALs), vendor lock-in, the risks inherent with a lack of diversity in the infrastructure and the drawbacks of closed source solutions.
But in the case of Active Directory, there are more particular concerns:
- First is identity. It’s difficult to interoperate with Active Directory and sometimes this is because Microsoft intends interoperability to be difficult. The difficulties that Samba has encountered make a good case study. Samba is a large dedicated effort that is taking years to enable AD interoperability. Examples of difficulties include proprietary extensions to common standards like Kerberos, required license agreements and the lack of documentation of protocols. Clearly Samba-style interoperability is a boon to customers, but its progress has been delayed. Now Microsoft and Novell may work together here… but this only proves the point. Interoperability with AD will come on Microsoft’s schedule.
- Second is policy. Active Directory is a less robust solution for centralized policy management than it is for identity. Microsoft Group Policy is a powerful way to manage configuration and policy on Windows boxes, but the management interface is quite difficult to use, group policy is hard to extend and if extended it can’t be managed. Some policy is stored in the directory with others in a file on the domain controller which is replicated separately. Making Active Directory the center of identity management will not leave an organization in the best place for the centralized management of policy in a heterogeneous environment.
- Third is audit. Successful audit requires accurate identity. Audit data becomes much more useful when identity can be tied to the policy as specified at the time the audit occurred. Microsoft MOM and Active Directory are not set up to enable this.
Red Hat’s Open Source Architecture applied to Security — interoperable security information
Identity, policy/configuration and audit information (IPA information) are at the core of security. How efficiently and effectively we use this information determines how well we secure our organizations.
But vital identity, policy and audit information is currently stored within multiple, independent applications where it is difficult to analyze and correlate.
As a result, organizations have difficulty:
- forming a complete picture of their security stance
- protecting their organization sufficiently
- efficiently enabling their operations while complying with government regulations and industry best practice
Because of its vital importance, Red Hat believes identity, policy and audit information should be Open, Interoperable and Manageable.
Open means the information is not held as a proprietary value add, but is available to other vendors and applications where possible through standards but always through well documented and openly available protocols.
Interoperable means that systems containing or managing identity, policy and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
Manageable means that systems managing this vital security information should be easy to manage centrally or locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
We have no intention of trying to build a massive new solution from scratch that attempts to realize this broad vision. Rather, it is Red Hat’s intention to work with the community, our customers, our competitors and other vendors to take concrete and useful steps wherever possible using existing solutions and projects.
We can work together to add value right away by making the management of identity, policy and audit easier to do locally and centrally for Linux. If we do this well, the community, organizations, other vendors and Red Hat itself will use and extend our solutions and in this way the broader vision may one day be realized.
