What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

BROWSE BY TAG Identity Management and Access Control,   Password Management and Policy,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary graphical password  (SearchSecurity.com) identity chaos  (SearchSecurity.com) logon  (SearchSecurity.com) masquerade  (SearchSecurity.com) OpenID  (WhatIs.com) salt  (SearchSecurity.com) session replay  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) TACACS  (SearchSecurity.com) war dialer  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The nice thing about directory services, like Active Directory for Windows or LDAP for Unix, is that they centralize access control over all directory members. Usually everybody on a single network or domain is enrolled in the same directory, making it easier to enforce or change authentication policies across the board.

Tools such as Group Policy Objects (GPO) in Active Directory make it easy to enforce consistent authentication polices for all members of the Active Directory domain.

In addition, directory services have centralized reporting features for auditing user activity and for producing access management reports required for compliance with regulations like the Sarbanes-Oxley Act (SOX).

Another nice feature of directory services is they can mesh with two-factor authentication systems – one-time password (OTP) tokens, smart cards and biometrics. For stand-alone systems, such configuration would have to be done on each individual workstation.

Using stand-alone authentication systems makes it harder to centralize access management across an organization. It can lead to inconsistent access management policies on different workstations in a network, which would be chaotic in a large company with many users. It would also make tracking users and their access -- and removing stale accounts -- quite difficult.

The only advantage to standalone authentication systems would be if there were only a few desktops or workstations, as in a small company, or for specialized access that needs to be segregated from the rest of the network. A possible scenario would be a workstation dedicated to high-risk transactions or for unique access to an external network.

Unless the cost of Active Directory is prohibitive because of the size of your business, standalone setups aren't recommended.

More information:

• Which is more secure: card space or user IDs and passwords? Read more.
• Joel Dubin makes complex password requirements simple.