How can virtual directories affect the security of application deployments?
The information an application’s users want to access can frequently be spread across various database applications, and it’s usually not appropriate for users to access them directly -- information from an e-commerce application and shipping information from a logistics and supply-chain application, for example. To get around this problem, applications make use of virtual directories. They provide a way for the application and its users to access data regardless of where it resides. Let’s first answer the question: What is a virtual directory?
A virtual directory receives queries and directs them to the appropriate data sources. The directory presents the returned data to the client application as if it all had been stored in one location. This ability to reach into disparate data stores makes applications easier to deploy, avoids the need to consolidate and synchronize data from different sources and provides security efficiencies.
Presenting information in a consolidated application-specific view without a virtual directory entails using a meta-directory to pull all the information into another purpose-built database that users are granted access to, and which keeps all the data synchronized. This approach is not only costly in terms of development and deployment, but data is only as up to date as the last synchronization. The additional database also needs to be secured, audited and kept compliant with any relevant regulatory requirements.
In contrast, rather than replicating existing data, a virtual directory acts as a proxy to the back-end applications, passing security credentials, accessing live records and transforming data so it is displayed to users in the proper context. It removes the need to create a new security model or change underlying applications, as the security parameters of existing directory and databases can be used. Many virtual directory solutions allow a single security policy to be applied to all back-end applications. This not only reduces management and maintenance costs, but also reduces the complexity of permission and configuration settings, which is always good security practice.
Virtual directories are middleware applications, so they can log all traffic to and from the back-end applications and act as an identity firewall to provide an additional layer of access security for the primary databases. They must, however, be deployed with the same level of fault tolerance as the database applications they interact with. Also, if they’re not created with the proper resource allocation, they may slow the application’s performance.
Identity management is a fundamental aspect of virtual directory technology, so when you’re deploying an application into a production environment, you should verify the settings and permissions match your security requirements. Microsoft, Oracle Corp., Radiant Logic Inc. and Quest Software Inc., are some of the leaders in virtual directory solutions, while MyVD Virtual Directory is an open source Java-based LDAP Virtual Directory.
This was first published in October 2011