Imagine a bank acquires another bank and merges the two IT departments. Each bank has a user whose userid is CHARLIE on all of that bank’s computers. Merging the two banks’ information security will need a method to distinguish between the two CHARLIEs.
Installing and maintaining agent software on each platform requires administrative overhead and relies on the software staying current and executing properly on each platform. Some platforms’ security software doesn’t lend itself easily to interaction with agent software.
RBAC simplifies security administration. Administrators grant whole collections of privileges by making a user a member of a group that has already been granted exactly the privileges needed. This is simpler than trying to grant a new user all the various privileges needed.
Upside-down trees, such as the directory tree on your hard drive, permit extensions on the bottom, and don’t require those on the top to know all the details of what those on the bottom are doing. Such trees provide command and control up and down the chain. For example, in UNIX or Windows directory trees, you can add new files and sub-directories to a directory, and the directories at the top don’t need to be aware of details in the directories at the bottom. You can also limit access for certain users to just specified parts of the tree.
Upside-down trees also provide uniqueness for names. Instead of two files named paydata, you can have a file named /prod/payroll/October/paydata and /test/payroll/October/paydata.
Observing standards supported on all platforms requires vendors to work together to agree on a standard and then support it. With one exception, getting vendors to agree on such a standard might seem impossible.
The one standard that all the vendors support is called Distributed Computing Environment (DCE). This includes both Lightweight Directory Access Protocol (LDAP) and Kerberos. DCE was developed back when the major computer vendors were IBM and the BUNCH (Burroughs, Univac, NCR, Control Data, and Honeywell). It uses TCP/IP for communication, LDAP to manage information about users, and Kerberos to authenticate users.
LDAP identifies users via a directory or database of user definitions. LDAP servers are organized into an upside-down tree that extends across platforms and provides unique naming of users and files. A well-known example of an LDAP directory is Active Directory on Windows computers. An LDAP server on any platform can interact intelligently with LDAP servers on other platforms within an upside-down tree to provide practical security administration for userids.
Kerberos is the means of proving each user’s identity and for providing one-time session keys for encryption between platforms. It’s built into Active Directory, provides protection against sniffer programs, and all major platforms support it.
Use of LDAP and Kerberos, universally accepted and implemented standard protocols, is a superior solution. They were first developed on UNIX, and spread to the Internet. Active Directory on Windows is LDAP and supports Kerberos. On the mainframe, z/OS gives you LDAP and Kerberos for free, and they both work with RACF, ACF2, and TopSecret.
Future articles will explain how LDAP and Kerberos work, and practical implementation suggestions for whichever approach you use.