This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
Bring Unix, Linux and Mac under the Active Directory umbrella.
And so you have Windows admins and *nix admins and, somehow, someone accounting for those Macs, all managed separately. At audit time, those responsible for each platform have to pull information from disparate systems and demonstrate consistent policies and controls.
"Nobody is worrying if you're really secure, just about keeping the auditors happy, so you just print out a six-foot tall stack of docs," says Peter Giannacopoulos, CEO of security services company Myrmidon Networks. "It's a huge problem, essentially maintaining three separate sets of infrastructure to essentially do the same thing."
One obvious answer is to leverage Active Directory across platforms.
"You already use Windows on the desktop, and have Windows servers," says Tom Kemp, CEO of Centrify, whose DirectControl allows companies to manage *nix and Mac systems through AD. "Why not use that core security DNA, Active Directory, to extend across the non-Microsoft world to provide centralized access control, centralized identify
Compliance across platforms is problematic and labor-intensive. Fragmented authentication and IAM is inefficient and insecure. Expect inconsistent password policies and users with multiple logins and passwords. You have to provision new employees across multiple systems, then deprovision terminated employees, leaving you open to compromise from "ghost" accounts.
"One of the huge advantages of putting Unix, Linux and Windows authentication together in one spot is that when somebody goes out the door, you have a much better chance that all their access will be disabled appropriately, quickly," says Jeff Nielsen, senior product manager for Symark's PowerADvantage.
Quest Software and Likewise offer products to manage heterogeneous enterprises with AD. Or, you can roll your own or bring in an outside integrator.
"It's not technically difficult at all," says Giannacopoulos. "You can get single sign-on using Active Directory as the main authentication store. On a server level, it's trivial: Enable Kerberos, enable LDAP, do some minor configurations and you're off and running. It works great."
Giannacopoulos says integrating applications--especially homegrown ones-- is more complicated. Commercial products add a strong management layer and may become more compelling as companies face a shortage of quality engineers.
Failed audits and serious security incidents may also elevate a commercial solution from "nice to have" to "must have" for some organizations. But, companies are more likely to do nothing at all, Giannacopoulos says, because of management's indifference to security, and IT fiefdoms.
"Unix guys stay Unix; they don't want to integrate with anything that says Microsoft on it," he says. "Every place I've done Active Directory rollouts maintains separate centralized authentication mechanisms."
This was first published in September 2008