Moving Next-Generation Applications Beyond Antiquated Directory Services

Updated: August 20, 2012

What happens after a user clicks a login button? How do applications decide who can access a system? Where does all the decision-making data live?

In most cases, directory services provide the answers to these questions. The application takes a password and relays it to a directory for verification. After the user's identity is established, the application follows up by asking about group memberships, roles and other related information.

Directory-services software consists of data storage with LDAP (Lightweight Directory Access Protocol), a standard access mechanism and information model. There is nothing inherently special about LDAP technology, but nearly every enterprise-class application supports it.

Most of this software was developed in the mid-1990s. While application technology has evolved substantially since then, directory technology has remained relatively unchanged. Unfortunately, what worked adequately with key applications including email, white pages and early intranets can fall short when faced with large external user populations, 99.999 percent uptime and evolving privacy needs.

Meeting Demand: Scalability and Availability

Enterprises today are pushing more and more services to their customers. These services are generally built with some of the same application-server and portal technologies as an internal application. Like their internal counterparts, the new services will call out to directory servers to authenticate and authorize users accessing the system.

The clearest difference is in scale. While a large enterprise may top out at 100,000 users, even a 50-person startup might have millions of external users. This demand requires scalability in both the underlying data store and in the number of concurrent users supported.

All of this scale must be delivered in a way that maximizes uptime. An enterprise user, for instance, might later try to log in and change their payroll deductions in the HR portal, but an external user may delay or find alternatives. Even in cases when transactions aren't being conducted, poor uptime eliminates much of the benefit of what may have been a substantial investment in an external Web presence.

Solving the scale problem is easy. Simply ensure that you're using modern directory software with underlying data storage that has evolved to scale to these levels. Use that software's scaling guides to ensure that you have the right hardware to support the level of transactions in your enterprise.

Uptime problems are always more challenging to address, as applications and users can be very distributed and what's up for one location may not be up for all. Keeping the service up requires examining the network topology, putting directory replicas in the right places and ensuring that applications can take advantage of the redundant technology. Applications that can't take advantage of redundancy will usually require load balancers or a virtual directory to navigate any complexity in the deployment.

Protecting Privacy

Both internal and external users have a higher expectation of privacy today than they did a decade ago.

Ten years ago, email content was routinely stored in clear text on file systems where privileged, shared accounts could have full access to the contents. Today, not only would this be unacceptable, but the email address itself and other pieces of basic user information may also be sensitive, depending on the system.

For example, most directories were designed before spamming and phishing became major concerns. With these threats, even the loss of basic information, such as email addresses, can have privacy implications and open up employees, customers and partners to Internet dangers.

As more data is now being used to make more decisions about what users can and can't do, it has become more likely that potential private data will be stored in a directory. With customers, this often means adding the ability for users to control the privacy of their own information, or at least protect themselves from having their data used by third parties or marketing programs that may now have access to the information living in directories.

Fortunately, many modern directories support strong access controls that can create such privacy flags. What's more, as directories get integrated with next-generation identity services, such as those defined by the Liberty Alliance Project's Identity Governance Framework, many of the decisions will be influenced by the same mature policy frameworks that are driving the next generation of Web authorization.

Security

Besides having a service that can hold enough information, keep that information available 24/7 and protect end-user privacy, any system that is relied on in decisions made about user access needs to have serious thought paid to how well it is secured.

Oddly enough, because directory technology has been around for so long, people assume that it has already been thoroughly vetted to modern security standards. Unfortunately, this isn't always the case. Even when the software can meet these requirements, many original deployments can fail at this from a network, storage or even configuration standpoint.

From a network standpoint, IT managers need to be aware that the contents of LDAP operations are often not encrypted . This means that an LDAP BIND (Berkeley Internet Name Domain) request, which is employed to authenticate a user, can send a plain text password over the wire as part of a request to authenticate. Thankfully every major directory supports SSL (Secure Sockets Layer), which solves much of this problem, but still hasn't stopped administrators from keeping non-SSL ports open for applications which may not support SSL properly.

Storage can be a serious security risk as well. The storage used by many directory services can be read with a text editor. While passwords and other extremely sensitive information is typically hashed, other information is often not protected on disk other than with basic file permissions. This means that administrators, operators and others with privileged accounts can potentially read or even change user information without going through the logged and monitored channels.

To solve data-storage security risks, IT managers need to ensure that their software has integrated data-security protection, such as secure backups, data encryption and other related technology. Additionally, the underlying operating system needs to be appropriately protected such that privileged users are not able to circumvent controls.

Supporting the Next Generation

Legacy infrastructure always presents hurdles to the support of next-generation services. However, being smart and focusing on the gaps presented above will avoid the most common issues.

Scalability and availability can be achieved through the right underlying data storage combined with the right hardware and topology. Privacy needs to be planned around modern-use cases and implemented in ways that clearly map to business privacy policies. Security needs to be from the ground up, starting with the operating system and data storage itself — just securing the protocols using SSL isn't enough.

Together, filling these gaps enables businesses to continue to rely on directory services to support authentication, authorization and other security services across their next generation of applications.

Clayton Donley is the Director of Development for Oracle Identity Management.

Related Categories
Featured Research
  • Baselining Best Practices

    IT must ensure new applications are rolled out quickly, reliably, and without risk, while at the same time guaranteeing performance and availability. Read this VirtualWisdom white paper to find out how to achieve application-aligned infrastructure performance, and more. more

  • Next Generation End User Experience Management: APM

    In an era of new technologies and cloud-based application delivery models, your business success depends on your ability to ensure optimal application performance and quality user experiences at all times. This complimentary white paper from AppNeta will enlighten you to the new frontiers in end user experience management and much more. more

  • Optimizing Application Delivery to the Network Edge

    Increasingly, the success of business is being tied to the network. The transformation of the network and IT can help organizations deliver and support highly available applications and services while reacting more quickly to changes in the business environment. In this complimentary white paper from IDC, learn how HP can help its customers and partners improve the overall application experience. more

  • Networking Routers Buyer's Guide for SMB & Enterprise

    This buyer's guide presents an overview of leading products on the market today and aims to improve research for companies needing to purchase or upgrade their equipment. more