Microsoft Active Directory is a database embedded in all Windows server operating systems and in Windows Azure (Microsoft’s cloud-based platform-as-a-service/PaaS offering). The directory is used to store information about objects and their attributes that are active within a given Windows network domain such as printers, network devices, hardware servers and users.
Because of the storage of user data, Active Directory has come to sit at the heart of many organisations’ identity and access management (IAM) systems; Quocirca research shows that 68% of European enterprises say Active Directory is the primary source of identity for employees (Digital identities and the open business, Feb 2013, sponsored by CA Inc.)
Active Directory helps with the management of users by allowing them to be grouped into organisational units. It is based around the LDAP (lightweight directory access protocol) standard allowing for easy integration with other tools and applications. This enables developers to use Active Directory’s centralised policy and rules to build access controls into their applications.
Active Directory’s dominance has arisen simply because most organisations make extensive use of Microsoft Windows servers and desktops. Why wouldn’t you use it unless your organisation is a Microsoft free environment? However, Active Directory is by no means a full identity and access management system so most organisations extend its use with other tools.
The need to improved identity and access management has become more and more pressing as many have come to consider identity as one of the most important security controls for IT access especially as traditional physical boundaries around IT systems have dissolved (see Quocirca report The identity perimeter, Sept 2012, sponsored by Ping Identity).
Active Directory provides basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources. Authenticating those credentials is another matter; for this organisations need to turn to stronger authentication techniques to ensure a user really is who they say they are.
Many organisations also see the need to apply further restrictions on what users can do once authenticated. One product that can be used to extend Active Directory in this way is UserLock from IS Decisions. UserLock permits, denies or limits access based on a range of criteria; for example, preventing concurrent logins via a single identity (making it hard to share their credentials or use two different devices concurrently), limiting access to certain device types (helping control use of personally owned devices) and limiting network access methods (think Wi-Fi controls). UserLock also monitors all Active Directory sessions in real time providing a flow of information for other IT security tools and a log of access information for audit and forensics.
Another product that builds on Active Directory is Courion Access Insight. It links granular policies around access rights to identities. However, it goes further than this helping to identify orphan accounts (those not associated with a known active user), excessive access rights and the over-granting of privileges. Access Insight also provides reporting capabilities that specifically help minimise access related risks and enables compliance reporting.
IS Decisions and Courion, like many tools, are often used to extend controls in a purely Microsoft Windows environment. What if you want to extend the use of Active Directory beyond Windows?
Tools such as Quest Authentication Services (owned by Dell since Sept 2012) and Centrify DirectControl allow the user details stored in Active Directory to be used in non-Windows environments including Linux, UNIX and Mac OS. These tools can also be used for single sign on (SSO), where they are joined in a burgeoning market for access control by other vendors; these now include easy to provision cloud-based SSO services such as Ping Identity’s PingOne and CA Inc’s SiteMinder.
Whilst some want to extend Active Directory to non-Windows environments others want to federate alternative sources of identity with Active Directory; Ping and CA Inc. both enable this. Such federation is becoming even more necessary as increasing numbers of organisations open up their IT systems to external users. Quocirca’s Digital identity and the open business report shows that customer and partner directories, membership lists of professional bodies, government databases and social media (especially for interacting with consumers) are all sources of identity being federated with Active Directory.
In fact the problem of real time identity management has become such a large scale data management challenge that the need for high speed middleware for processing identities in real time has arisen. This need is served by vendors like Radiant Logic whose Hadoop-based RadiantOne product sits between identity sources such as Active Directory and identity consumers such as the SSO tools described earlier; for many organisations processing identity data is now a big data issue. Radiant Logic also enables federated identity management.
Knowing who your users are and managing their access rights is central to effective IT security. Active Directory is just the starting point for most organisations when it comes to identity management and controlling and recording what users can do. Few organisations have plans to replace Active Directory but more and more will be extending its use with supplementary tools in 2014 and beyond.