The fact that some users will have a huge level of access to company information is unavoidable as long as you also
want someone to be able to support the complex multi-platform solutions that proliferate these days.
The trick is to know at all times who has access to which systems, at what level, and who granted them that
access. Since most systems have their own logs or access databases (some general SQL or LDAP, others strange and
unusual;), one usually requires some specialist third party tool to generate such reports and notify the
responsible managers automatically if something seems out of place.
It's near impossible to find a single identity and workflow management tool to cover all the bases, unfortunatly. Each
company needs to evaluate its own needs individually.
The company I work for produces several such tools which of course, I think are the best ones for the job =)
The important thing is to understand that someone always needs access to sensitive data, all you can hope for is that
your HR department did good screening and that the managers care enough to follow up on access rights regularly. All
too often people retain rights when switching departments...
Most of the common maps, including the auto-mount maps have schema and attributes in LDAP. So its just a simple
matter of using a migration tool (or doing it by hand) to build your LDAP version of the auto-mount map.
A quick google and here is a link you might like to look at:
Because the sites that could most benifit already run NIS or similar for Unix, and have working AD systems for
windows. With a larger site (100+ servers) the admin groups are usually hard presses for time anyway and have
to justify this kind of switch to a manager who most of the time doesn't fully see the advantage of spending
all those man hours switching systems.
Several reasons, but the one I'd be most inclined to rate highest is the inability to protect against brute force attacks.
Since you can't (or don't want to) stop all logins then the only way to stop brute force attacks is to disable the account
that is under attack after a few incorrect guesses.
If you have only passwords then an attacker can use a distributed botnet to attack you with as many random passwords as he
sees fit.
Given that most users pick godawful passwords it shouldn't take long to stumble upon a password that is valid for some user
in your site, and not asking for a username just makes this a whole lot simpler. /Anthony Whitehead
NordicEdge AB
For the same reasons as one would use NIS in the past, to allow central control and a single
point of administration for your users.
With some decent admin tools you can even share your users between variants of Unix and Windows environments.
There are some advantages of LDAP over NIS which are worth mentioning. LDAP can be made more secure than
NIS (NIS+ is better in this respect, but oh so much more of a pain to administer) through the use of SSL
or better authentication methods. LDAP will usually scale better for many thousands of users than plain NIS.
NIS is limited as to what data may be stored for a user, which is ok if all you want your user database for
is authentication and basic authorization, but LDAP is much more flexible if you need to store other user
information and would rather have a single user store.
There are some sites that even use Unix LDAP clients to authenticate to an Active Directory service running
on windows platforms. This can be done much more transparantly with LDAP than many other authentication methods.
Combining SSL, username and password together with a simple One Time Password delivered by pager, mobile text (SMS) or even voice mail, gives good two factor authentication. Several companies provide good solutions that are of differing level of complexity to integrate.
Check out this link for more information on one time password authentication. I work for this company so of course I'm biased =) but its the best OTP service I've used. It will integrate fine with your AD or any other LDAP/SQL user source.
The major reason why hardware tokens are not so popular in my experience is that people think they are clumsy to lug about everywhere. Even the keychain versions are annoying. Smart cards are great but you need a computer with a smartcard reader.
I think we'll be seeing more and more applications aimed at users mobile phones, for the simple reason that everyone likely to use an online service is also likely to have a mobile phone.
Most people are much more likely to notice a lost or stolen phone, than a lost or stolen token device...
Slashdot Mirror
The fact that some users will have a huge level of access to company information is unavoidable as long as you also want someone to be able to support the complex multi-platform solutions that proliferate these days.
;), one usually requires some specialist third party tool to generate such reports and notify the
responsible managers automatically if something seems out of place.
The trick is to know at all times who has access to which systems, at what level, and who granted them that access. Since most systems have their own logs or access databases (some general SQL or LDAP, others strange and unusual
It's near impossible to find a single identity and workflow management tool to cover all the bases, unfortunatly. Each company needs to evaluate its own needs individually.
The company I work for produces several such tools which of course, I think are the best ones for the job =)
The important thing is to understand that someone always needs access to sensitive data, all you can hope for is that your HR department did good screening and that the managers care enough to follow up on access rights regularly. All too often people retain rights when switching departments...
Anthony Whitehead
NordicEdge AB
http://www.nordicedge.se/
Most of the common maps, including the auto-mount maps have schema and attributes in LDAP. So its just a simple matter of using a migration tool (or doing it by hand) to build your LDAP version of the auto-mount map.
A quick google and here is a link you might like to look at:
http://www.linuxjournal.com/article/6266
There are many other sources of information on this out there.
Anthony Whitehead
NordicEdge AB
Because the sites that could most benifit already run NIS or similar for Unix, and have working AD systems for windows. With a larger site (100+ servers) the admin groups are usually hard presses for time anyway and have to justify this kind of switch to a manager who most of the time doesn't fully see the advantage of spending all those man hours switching systems.
/Anthony Whitehead
Sad, but often true.
NordicEdge AB
Several reasons, but the one I'd be most inclined to rate highest is the inability to protect against brute force attacks. Since you can't (or don't want to) stop all logins then the only way to stop brute force attacks is to disable the account that is under attack after a few incorrect guesses.
/Anthony Whitehead
NordicEdge AB
If you have only passwords then an attacker can use a distributed botnet to attack you with as many random passwords as he sees fit.
Given that most users pick godawful passwords it shouldn't take long to stumble upon a password that is valid for some user in your site, and not asking for a username just makes this a whole lot simpler.
For the same reasons as one would use NIS in the past, to allow central control and a single point of administration for your users.
/Anthony Whitehead
With some decent admin tools you can even share your users between variants of Unix and Windows environments.
There are some advantages of LDAP over NIS which are worth mentioning. LDAP can be made more secure than NIS (NIS+ is better in this respect, but oh so much more of a pain to administer) through the use of SSL or better authentication methods. LDAP will usually scale better for many thousands of users than plain NIS. NIS is limited as to what data may be stored for a user, which is ok if all you want your user database for is authentication and basic authorization, but LDAP is much more flexible if you need to store other user information and would rather have a single user store.
There are some sites that even use Unix LDAP clients to authenticate to an Active Directory service running on windows platforms. This can be done much more transparantly with LDAP than many other authentication methods.
http://www.nordicedge.se/
NordicEdge AB
Combining SSL, username and password together with a simple One Time Password delivered by pager, mobile text (SMS) or even voice mail, gives good two factor authentication. Several companies provide good solutions that are of differing level of complexity to integrate.
Check out this link for more information on one time password authentication. I work for this company so of course I'm biased =) but its the best OTP service I've used. It will integrate fine with your AD or any other LDAP/SQL user source.
http://www.nordicedge.se/produkt_otp.shtml
The major reason why hardware tokens are not so popular in my experience is that people think they are clumsy to lug about everywhere. Even the keychain versions are annoying. Smart cards are great but you need a computer with a smartcard reader.
I think we'll be seeing more and more applications aimed at users mobile phones, for the simple reason that everyone likely to use an online service is also likely to have a mobile phone.
Most people are much more likely to notice a lost or stolen phone, than a lost or stolen token device...
Good Luck in your solution.