Identity interoperability across Windows and Linux is one area of focus highlighted by Microsoft and Novell in their November 2006 partnership announcements.
Even though there is little detail about what Microsoft and Novell will provide, this aspect of the announcement has generated interest. We will discuss the reasons for this interest, explain Microsoft and Novell’s approach as currently understood, discuss the limits of Active Directory and propose Red Hat’s broader vision for the interoperability of security information.
The importance of identity interoperability
Within most organizations, there exists a variety of identity stores. AD for Windows and Exchange, Red Hat Directory server as a backend for an Internet facing portal, Peoplesoft for HR, flatfiles, etc.
Identity information is vital security information needed to give appropriate access and to audit activity, but the heterogeneity of identity stores makes it difficult for IT to secure and efficiently manage its environment while complying with government regulations. This also makes it difficult for end users to log on to applications efficiently.
A well known and much discussed problem, there exist a variety of solutions and approaches to address this security issue. Solutions include federation, meta-directories, virtual directories, provisioning solutions, single-sign-on solutions, centralizing all identity into one store and more.
Among organizations there is a related problem that gathers a similar level of interest - each organization controls its employees or customers’ data in its own datastore, making it difficult to provide a user with a seamless and secure experience moving online amongst different organizations.
Microsoft and Novell’s approach (as currently understood)
Microsoft and Novell have proposed that their partnership will bring organizations benefits in the area of identity interoperability across Windows and Linux. So far this has meant two things.
One approach is to enable an SLE machine to more seamlessly plug into an Active Directory managed network via Samba and other tools. This fits into the "centralize identity in one store (AD)" approach to identity interoperability.
Many organizations want this and for good reason - they can efficiently and centrally manage identity across their environment. Red Hat has also invested in this approach to identity interoperability and has put significant investment in Samba in the upcoming RHEL 5.1.
The second approach, and the one highlighted by the companies in their announcements, is to enable the federation of identity between Active Directory and eDirectory. This is a useful approach for cross-organization identity interoperability, but is not a long-term solution for identity interoperability within an organization. It might be useful short-term to allow an eDirectory deployment within a department or a newly acquired unit to federate to Active Directory, but in the long run organizations will require the identity information itself to be kept in sync and not simply federated.
It is our belief that to Microsoft, "identity interoperability" within an organization means centralizing all identity in Active Directory. It’s unlikely that Microsoft’s partnership with Novell represents a change in strategy here.
The limitations of Active Directory
Why not centralize management for your Unix and Windows world in Active Directory?
Certainly there are benefits to doing so. Active Directory is now a proven, scalable directory; it’s fairly easy to use in managing a Windows domain and a large percentage of organizations are now using Active Directory already for Windows.
Of course, there are the generic reasons why an organization may not want to put all of its eggs into Microsoft’s basket. These include price (the price of the CALs), vendor lock-in, the risks inherent with a lack of diversity in the infrastructure and the drawbacks of closed source solutions.
But in the case of Active Directory, there are more particular concerns:
- First is identity. It’s difficult to interoperate with Active Directory and sometimes this is because Microsoft intends interoperability to be difficult. The difficulties that Samba has encountered make a good case study. Samba is a large dedicated effort that is taking years to enable AD interoperability. Examples of difficulties include proprietary extensions to common standards like Kerberos, required license agreements and the lack of documentation of protocols. Clearly Samba-style interoperability is a boon to customers, but its progress has been delayed. Now Microsoft and Novell may work together here… but this only proves the point. Interoperability with AD will come on Microsoft’s schedule.
- Second is policy. Active Directory is a less robust solution for centralized policy management than it is for identity. Microsoft Group Policy is a powerful way to manage configuration and policy on Windows boxes, but the management interface is quite difficult to use, group policy is hard to extend and if extended it can’t be managed. Some policy is stored in the directory with others in a file on the domain controller which is replicated separately. Making Active Directory the center of identity management will not leave an organization in the best place for the centralized management of policy in a heterogeneous environment.
- Third is audit. Successful audit requires accurate identity. Audit data becomes much more useful when identity can be tied to the policy as specified at the time the audit occurred. Microsoft MOM and Active Directory are not set up to enable this.
Red Hat’s Open Source Architecture applied to Security - interoperable security information
Identity, policy/configuration and audit information (IPA information) are at the core of security. How efficiently and effectively we use this information determines how well we secure our organizations.
But vital identity, policy and audit information is currently stored within multiple, independent applications where it is difficult to analyze and correlate.
As a result, organizations have difficulty:
- forming a complete picture of their security stance
- protecting their organization sufficiently
- efficiently enabling their operations while complying with government regulations and industry best practice
Because of its vital importance, Red Hat believes identity, policy and audit information should be Open, Interoperable and Manageable.
Open means the information is not held as a proprietary value add, but is available to other vendors and applications where possible through standards but always through well documented and openly available protocols.
Interoperable means that systems containing or managing identity, policy and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
Manageable means that systems managing this vital security information should be easy to manage centrally or locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
We have no intention of trying to build a massive new solution from scratch that attempts to realize this broad vision. Rather, it is Red Hat’s intention to work with the community, our customers, our competitors and other vendors to take concrete and useful steps wherever possible using existing solutions and projects.
We can work together to add value right away by making the management of identity, policy and audit easier to do locally and centrally for Linux. If we do this well, the community, organizations, other vendors and Red Hat itself will use and extend our solutions and in this way the broader vision may one day be realized.
First Three Steps
- Centralized Identity Management for RHEL. We will begin with identity on Linux by providing centralized Identity Management for RHEL and applications running on RHEL. This solution will initially consist of an MIT Kerberos 5 server integrated with Red Hat Directory Server and more RHEL packages Kerberized. Making it easy to manage identity on RHEL boxes centrally will help with SOX compliance and administrative burdens. It will also give us a foundation from which to learn and build. Of course, the solution will have to interoperate with Active Directory at the identity level and Red Hat Directory server already provides a synchronization capability for users, passwords and groups.
- Central Authentication Point. We also plan to offer a solution that adds RADIUS to the above enabling organizations to deploy a supported, preconfigured central authentication solution. The idea is that RHEL logins, applications leveraging LDAP and remote access/VPN/wireless using RADIUS can all authenticate through the same solution. Of course, other methods of authentication could be proxied to other solutions, but there would be value from their authentication passing through this central point. The benefits are unified logging, unified management of users and policies in the directory (this would be pretty simple at first but could grow over time) which would result in reduced administration cost and enhanced security.
- Centralized Audit. In RHEL 5, we have made key security audit data centrally available in real-time on a particular RHEL box. We are planning to put this same real-time interface in front of syslog and enable both sets of audit data to be collected from many RHEL boxes in a central repository.
Initial efforts around policy are underway and more details will be described in a later blog.
Identity management and identity interoperability are important - so important that organizations should not look to Active Directory to be the center of identity management and interoperability for their organization.
Identity is just one leg of a three-legged stool of vital security information: identity, policy and audit. All three must be made interoperable and interrelated.
Helping to make this possible is Red Hat’s security vision. We plan to start small by getting our own house in order with regards to the management of security information. But, with your help, we plan to build this in an open, interoperable and extensible way that will help realize the broader vision.
We invite you to join us.