Embedded in all Microsoft Windows server operating systems and in its Azure platform as a service offering is Active Directory; a store of information about all the objects and their attributes that are active within a given Windows network domain. This includes printers, network devices, hardware servers and, most importantly, users.

This storage of user data has led to Active Directory sitting at the core of many organizations identity and access management (IAM) systems. Quocirca research shows that 68% of Europe enterprises use it as the primary source of identity for employees (Digital identities and the open business, Feb 2013).

Active Directory helps with the management of users allowing them to be grouped into organizational units. As it is based around the LDAP (lightweight directory access protocol) standard it is easy to integrate with other tools and applications enabling developers to use Active Directory’s centralized policy and rules to build in access controls.

The dominance of Active Directory has arisen simply because most organizations make extensive use of Microsoft Windows servers and desktops; its use makes sense unless you are running a Microsoft free environment. But, Active Directory is by no means a full identity and access management (IAM) solution and many see the need to extend its use with other tools. The need to do so has become more pressing as many have come to consider identity as one of the most important security controls for IT access as traditional physical boundaries around IT systems have dissolved (see Quocirca report The identity perimeter, Sept 2012).

Basic user security is provided. Active Directory enables checking of supplied credentials against stored user profiles, only then opening up access to resources. However, authenticating these credentials is another thing; this requires deployment of strong authentication techniques to ensure a user really is who they say they are.

Many also see the need to apply further restrictions on what users can do once authenticated. One product that can be used to extend Active Directory in this way is UserLock from IS Decisions. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity (making it hard to login from multiple devices at the same time or share access credentials), limiting access to certain device types (helping control use of personally owned devices) and limiting network access methods (think Wi-Fi controls). Tools like UserLock also monitor all Active Directory sessions in real time providing flow of information for other IT security tools and a log of access information for audit and forensics.

Another product that builds on Active Directory is Courion Access Insight. It links granular policies around access rights to identities. However, it goes further than this helping to identify orphan accounts (those not associated with a known active user), excessive access rights and the over-granting of privileges. Access Insight also provides reporting capabilities that specifically help minimise access related risk and enables compliance reporting.

IS Decisions and Courion, like many tools, are often used to extend controls in a purely Microsoft Windows environment. What if you want to extend the use of Active Directory beyond Windows?

Tools such as Quest Authentication Services (owned by Dell since 2012) and Centrify DirectControl (now known as Delinea) allow the user details stored in Active Directory to be used in non-Windows environments including Linux, UNIX and Mac OS. These tools can also be used for single sign on (SSO), where they are joined in a burgeoning market for access control by other vendors, these now include easy to provision cloud-based SSO services such as Ping Identity’s PingOne and CA Technologies SiteMinder.

Whilst some want to extend Active Directory to other environments others want to federate alternative sources of identity with Active Directory; Ping and CA Technologies. both enable this. Such federation is becoming even more necessary as increasing numbers of organizations open up their IT systems to external users. Quocirca’s Digital identity and the open business report shows that customer and partner directories, membership lists of professional bodies, government databases and social media (especially for interacting with consumers) are all sources of identity being federated with Active Directory.

In fact the problem of real time identity management has become such a large scale data management challenge that the need for high speed middleware for processing identities in real time has arisen. This need is served by vendors like Radiant Logic whose Hadoop-based RadiantOne product sits between identity sources such as Active Directory and identity consumers such as the SSO tools described earlier; Radiant Logic also enables federate identity management.

Knowing who your users are and managing their access rights is central to effective IT security. Active Directory is just the starting point for most organizations when it comes to identity management and controlling and recording what users can do. Few organizations have plans to replace Active Directory but more and more will be extending it use with supplementary tools in 2014 and beyond.

Leave a Reply