In the late 90s security practitioners thought access control problems would be solved with the ability to consolidate the proliferation of OS and network directories into one "enterprise" directory. We have since found that while the use of meta-directories for
Meta-directories aggregate information from multiple data sources or are combined with logic and filters to move information from one directory storage point to another, while being able to change the pattern (syntax) of the information it is moving. Using aggregated directories (meta-directories) for authentication and access control is risky. If the directory environment is compromised, the single, consolidated directory is a hacker's virtual gold mine. This archaic (from a security and compliance perspective) directory model also requires treating your entire access control environment as a single, broadly defined (a.k.a. open to all users) security zone.
However, meta-directories can be useful in obtaining the granular control of service directories required for compliance with regulations such as Sarbanes-Oxley. In order to comply with an external regulatory audit, it is necessary to be able to isolate end users beyond roles, and to fix responsibility for data inputs and components of financial statements by end-user name. Meta-functionality is best used as the information mover and translator on a per unique end-user population basis. Granular controls are then reached by taking the identity and role information supplied via the meta-directory and using it with identity management and provisioning tools to populate a service directory and perform the granular access controls within an appropriate directory schema.
To identify and control by name who has access to, or who can change the data in a particular data field, use population specific authentication and access service directories. A population is defined in this context as a group of users who have similar authentication and access control requirements. For example, there is no need for a repeat customer who is making an online purchase to be in the same directory, access the same portal, or even be on the same network, as your users in the accounting department. The principle at work here is isolation. The more you isolate any given population of end users, the more you enhance your ability to control their access, use and overall online experience. At the same time you are confounding potential hackers.
Likewise, the opportunity for inappropriate or unintended access decreases when security policy and implementation dictate access control. Add to this the accounting principle of separation of duties, and one can begin to map out the requirements for designing and implementing the appropriate authentication and access control directory framework.
For SOX compliance, first focus on the end users who are contributors to and creators of the information that is landing in the company's financial statements. For a large espresso coffee chain, for example, that would be employees all the way from baristas in the stores, to store managers, regional staff, and corporate office accounting staff, the comptroller, and VP of finance. Merely having this much separation of a population of end-user populations would be a major improvement in some companies where even the janitors have access and are in the same access directories as the comptroller. The question to ponder is whether this is enough isolation from the other employees. Or, should there be further differentiation by job responsibilities within the population, who have contact with the entries on financial statements? Keeping in mind that separation of access rights to applications and specific data can be controlled within the LDAP directory schema, the answer is still yes. In a large company the store level personnel should not be housed in the same access service directory as home office staff. Nor should they be able to see or access, or have other than "read only rights" to any regional or home office financial application, and then only replicated "report only" data, eliminating any opportunity for up-line internal hacking.
Getting access control models right is not easy. It may require a good deal of detailed work for the IT department to implement an appropriate control framework and the result may present an inconvenience for operations staff. However, there are identity management and identity provisioning software tools out there that leverage meta-directory functionality to do things within your ideal framework once and leverage it over time to maintain adequate controls over access to online resources.
About the author
Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.