Wednesday, December 12, 2007

LDAP support via sudo in UNIX

An enterprising blogger expounds how you do no longer need to be limited in how UNIX users are managed, such as storing user account in flat files. Using sudo will let the administrator utilize a directory service for security (i.e. authentication/authorization). There are other solutions, but here is one that is relatively easy and cheap since sudo is open-source and the functionality is built-in.

read more | digg story

Thursday, December 6, 2007

Solving the privacy puzzle in a federated identity model

In this article Rosie Lombardi contrasts virtual directories and meta-directories as the central access point options in creating a federated environment for consolidated authentication via web. A simple overview, but some good points of discussion, how do governments establish a way for people to gain information and access to services across agencies, states, and other governing systems?Unique Identifier or FIM?She quotes Temoshok at the GSA... "I don't want to simplify too much, but governments have two basic choices for this: a national ID or federated identity management system," So, here are the questions that arise. >> If you have FIM how do the silos correlate identities without the national ID# to act as the unique identifier? >> If you have a national ID, how do you facilitate the data sharing? Where do you verify the national ID is valid? What is the person in question is using the same national ID# with different alias'? You need a silo to set up the "master" national ID list - creating a huge repository of all your citizens. After the initial verification, what about continued information exchange? What if the person moves, the address is not updated. What about national security concerns? I see virtual directories as offering more to solving these problems than just being easier and less expensive to deploy (as the only benefit asserted by James Quin, senior analyst at Info-Tech Research Group asserts in the article). A virtual directory solution can be used to solve the correlation problem between identities (without the pesky national id#), impose policy (logic) to alert administrators of suspicious activity (i.e. same ID# using several different names/aliases) and update (synchronize) information across systems such as new phone numbers, address changes, or other contact information. Quin also brings up the question of security, he feels that one meta-directory is more secure (although admittedly most expensive and complicated to deploy) because there is only one point of failure. With the virtual directory solution he says there are multiple points of failure, the virtual directory and all connected sources - how is this not true of the meta-directory system, unless you are planning not to synchronize and if you don't synchronize, how you expect to keep the information current? Or perhaps you are not using the virtual directory as the point of access, and securing the underlying sources behind firewalls, etc? "But the virtual directory approach means personal information about citizens resides in many government systems and servers in redundant and potentially inaccurate forms." Here we see a lack of understanding of the functions and features of virtual directories. Virtual directories are perfectly able to perform synchronization services, correlation, identity aggregation, directory replication, and more, perfectly designed for exactly this problem.I don't see a down side to virtual directories, I just don't. The more I learn and the more I use virtual directories to solve these problems, the more I love them! Virtual directories can be made just a secure using SAML, SSL, and ACI's just as a metadirectory (only if you have a good directory service attached to the front end).

read more | digg story

Monday, December 3, 2007

Logical Data Models for SOA Information Exchange

See what some say is the major road-block to SOA deployments and why it doesn't have to be so hard to solve - you need to think hierarchy, data modeling, object-classes, and abstraction (flexibility). If you are used to working with Directories and even more so, virtual directories, you will have a leg up on understanding these concepts and how they are useful in simplifying the issues in SOA deployments. It doesn't have to be that bad, REALLY!

read more | digg story

SOA in the IdM

Here is a definition of SOA given in the article found at - its a short understandable definition;
"SOA. Service-oriented architecture refers to a paradigm that focuses on how you maximize the sharing, reuse and interoperability of distributed corporate resources across your network. And to maximize sharing, reuse, etc., you need a universal middleware environment, an integration fabric, a set of standards. So that comes down to things like the Web services standards" and I would add LDAP and SQL to these standards, don't keep this idea only in the world of external users, internet, or even intranet - use these concepts at the data integration level inside your IT deployments, especially in the IdM services space....

Virtual Directories are such a middleware component that can accomplish this. SOA is here if you want it, or you can wait until the vendors catch up and start helping you understand how to use their products....

Security and Data Management

Identity Management and Data Management starting to overlap in your mind? Then maybe its because you have dug into the topic deep enough to see the problems, or you are just losing sight of where the lines are? Certainly some of the issues are the same and have the same solutions, so where is the future of IdM?

read more | digg story