Why LDAP and E-Business Security are Critical to Your Success by 8yP2vf9D


									             Why LDAP & Security Are
              Critical to Your Success
      UBC Certificate in eBusiness Presentation
          Wednesday, January 17, 2001
         Guy Huntington, President,HVL

 HVL 2001
              Presentation Goals
     • Understand the critical role that trust plays in
       achieving modern business models
     • Relate this to the challenge of creating, managing
       and authenticating the identity
     • Probe into accepting authorizations between
       system, partners and other enterprises
     • Take a look at the role of LDAP vs. Databases
     • See what kinds of tools are out there to do the job

 HVL 2001
              It All Starts With Trust
• Trust is the heart of successful ongoing
  transactions, relationships and business processes
• In the “old days” it was primarily based on
  someone you had physical proximity to or, taken
  on faith from someone you knew
• But what about today?

  HVL 2001
             Trust and E-business
• Billions of interactions occurring around the globe,
  increasingly with software based systems, where we
  may never ever see the face behind the transaction or
  business process
• A large enterprise may have tens or hundred of
  millions of customers (e.g. Wal*Mart, Coke or Pepsi)
• They may have hundreds of thousands of employees
  (e.g. United Airlines, McDonalds)
• They may have thousands, tens of thousands or more
  business partner’s employees interacting with the
  enterprise (e.g. GM)
 HVL 2001
             Interactions Are Fast,
             Varied and Sensitive
• Interactions often require split-second decision-
  making (several thousand identity lookups and
  authentications per second)
• Access can be to many traditional “back-office”
  systems (shipping, account info, manufacturing,
  sales/marketing, etc.)
• Customers and business partners are drilling to
  very sensitive information (e.g. data warehouses
  containing personal account info.)
 HVL 2001
             Identity Management
• Usually taken for granted
• Identity creation is usually a mixed bag of:
      – Different people doing the creation
      – Different ways of doing the creation
      – Different systems holding the creation

 HVL 2001
             Take “Fred Johnson”
•   Fred Johnson – Facilities
•   Fred S. Johnson - Parking
•   Fjohnson – E-mail
•   F. Johnson HR Manager - Payroll
•   Fred Johnson Human Resources Manager - HRIS
•   Fred Johnston (oops…typo!) - Security
•   F. Johnsonn (another typo) - Networks

 HVL 2001
             Identity Integrity
• Causes a lot of grief
• Direct cost to the enterprise
• Lost productivity
• Hard to find up to date org charts and basic
  contact info
• Can cost many tens of millions of dollars
 HVL 2001
             Managing the Identity
• Who creates it?
• How do you handle the changes to it?
• The numbers can be staggering
      – 15-30% identity changes
      – 20-30% employee churn in some sectors
      – Thousands to millions of users
• You need to somehow both centralize identity
  reference and at the same time delegate admin to
  appropriate levels
 HVL 2001
                 Security Lapses
• Time delays for system updates take days,
  weeks and even months
• Manual processes for updating mean
  manual errors
      – Wrong people get taken on and off systems
      – Identities entered differently don’t match in
        systems and access is denied to applications etc

 HVL 2001
• Now we have an identity, how do we
  authenticate it to continue the process of
• “How do I know you’re you?”

 HVL 2001
              • What if I don’t know you?
              • What if you’ve been passed from
Challenges      one or two portals to my e-
                business website?
              • How do you achieve single sign
                on to reduce the number of
                passwords, tokens, smartcards and
                number of times authentication is
              • The answers affect ease of use,
                trust and manageability of the
                business models you’re building!
  HVL 2001
Authentication   • What you know
   Basics        • What you have
                 • What you are

   HVL 2001
Authentication • Basic authentication
  Methods      • Certificate authentication
                  • Form authentication
                  • Tokens/smart cards
                  • Biometric authentication

    HVL 2001
                 • Uses something you know
                 • Username and password are
Authentication     the most common
                 • Most common form of
                 • Can be a lot of
                   problems/challenges in
                   using it

   HVL 2001
              • Password cracking programs
  Basic         can guess passwords at over
Challenges      1.5 million guesses per
                second to minute
              • Passwords are difficult to
                remember and should be
                changed frequently

  HVL 2001
              • Password lengths are often
  Basic         insecure
Challenges    • Password storage may be
                not secure
              • Passwords may travel in the

  HVL 2001
  Basic       • Browsers cache passwords
              • Lost password management
Challenges      is very expensive

  HVL 2001
                 • Uses public key
 Certificate       infrastructure
Authentication   • Involves use of trusted third
                   parties called “certificate
                 • Certificates use a couple of
                   different types of encryption
                   to assure identity
                 • Parties exchange certificates
                   and verify each other
   HVL 2001
              • Managing certificate users
Certificate     can be very demanding,
                costly and time consuming
Challenges    • Level of trust may not be
                appropriate for all your
              • Encryption use may require
                accelerator cards on the
                authenticating servers
              • Browser’s cache certificate
 HVL 2001
                 • Uses an html form usually
    Form           embedded in the internet,
Authentication     intranet or extranet interface
                 • Can use username and
                   password or some other
                   challenge and response
                 • Advantage to this method is
                   the browser doesn’t cache
                   the challenge and response
   HVL 2001
             • You’ve probably seen or
Tokens         used some tokens many
             • This can include driver’s
               license and social security
             • It can also include key fobs
               with digitally changing
 HVL 2001
             • Can be forged or hacked
             • People lose them
Challenges   • Management of the whole
               process can be daunting
             • People get sick of having to
               carry around so many
               tokens (just check your
               wallet for the number of
               loyalty cards you carry)
 HVL 2001
              • Use chip technology
Smart Cards   • Includes debit cards to financial
                and medical information cards
              • Widely used in Europe
              • Gaining momentum in
              • Lots and lots of politics
                involved in setting global
              • Often use multi-factor
  HVL 2001
             • Can be hacked (although it
Smart Card     can be harder to do)
Challenges   • A lot of behind the scenes
               fighting over standards for
               potentially billions and
               trillions of dollars in
             • Need plant and equipment to

 HVL 2001
  Biometric      • “James Bond” comes of age
Authentication   • Includes
                   –   Finger recognition
                   –   Fingerprint scans
                   –   Hand geometry
                   –   Face geometry
                   –   Signature recognition
                   –   Iris and retina recognition
                   –   Voice recognition
   HVL 2001
                 • Price points are dropping
                   quickly below $150, $100
                   and even much less
Authentication   • Becoming embedded in
                   chips placed in cell phones,
                   palm pilots and soon watches
                 • Often used with smart cards
                   and/or other authentication
                   methods such as passwords

   HVL 2001
              • Can have trouble with
Biometric       people having hangovers,
Challenges      colds, etc
              • Still a little pricey for
                widespread adoption
              • Device required to conduct
                the enrollment and reading

  HVL 2001
             So What Do You Use?
• Probably combinations of all of these!
• You need to think in terms of layers of trust
• Let’s move on to authorization and then
  come back to view the challenges in
  providing single sign on, integrating
  different authentication methods and
  accepting other parties

 HVL 2001
                • This is the second step of
Authorization     the triple A’s
                  authorization and auditing)
                • How do you authorize?
                • How do you integrate
                  authorization mechanisms
                  across an enterprise and
                  between enterprises?
                • It isn’t always easy

    HVL 2001
Daily Sales    • Sales rep can view only their
                 own reports
 Report        • Managers can view all direct
                 reports “reports” and their
                 summaries but not other areas
               • Regional managers can view all
                 reports below them, rolled up
                 summaries but not outside their
               • VP, CEO and CFO can view all
                 reports and summaries

   HVL 2001
               • Special exemptions for some
Daily Sales      identities
 Report          – Individuals, roles, groups,
               • Special exemptions for some
                 – Specific reports, groups of reports
               • Special exemptions based on
                 – Hourly, daily, weekly, monthly,
                   seasonally, yearly

   HVL 2001
               • Your infrastructure needs to
Granularity      provide flexibility for different
                 combinations of granularity at
                 both the identity and
                 resource/application level
               • Some of this logic is already in
                 your ERP’s, HRMS’s, data
                 warehouses, CRM’s and the
                 rest of your systems
               • How do you knit this together
                 both internally and externally?

   HVL 2001
             The Devil Is in the Details
      – Potential show stopper stuff for B2B’s and
        large internal reengineering
      – You’re crossing multiple systems, with little or
        no authentication and authorization standards
      – The information and rules are stored in specific
        formats, logic and databases each with their
        own generally inflexible standards
      – You’re also crossing over a lot of political
        power centers within the enterprise

 HVL 2001
• Many of the systems requiring
  authentication/authorization integration use
  databases/data warehouses
• There’s challenges with using database only

 HVL 2001
             Advantages of Databases
• Maintain state of the transaction
• Excellent for fast writes
      – Wal*Mart updates the DSS at approx 8.4
        million updates per minute
• Great for routine and complex querying
      – Wal*Mart queries DSS at over 100,000
        complex queries a week
• Flexible
 HVL 2001
         Disadvantages of Databases
• Lack standards when it comes to how
  information is stored
• Not optimized for fast reads
• Generally relational not hierarchical

 HVL 2001
             Infrastructure “Glue”
• Need to bind together/coordinate the identity
  management, authentication and authorization
  components of all the systems
• Has to work exceedingly fast
• Databases are not the best choice in either cost or
  performance for this application
• Databases may hold the authoritative source of the
  information e.g. ERP, HRMS
• That’s why directories come into play

 HVL 2001
             • Optimized for fast reads not
             • Excellent for stateless/semi-
               stateless environments
             • Scale relatively easily for
               replication and fail over
             • Operate to standards

 HVL 2001
             • Lightweight Directory Application
             • IETF standard
             • Built with the internet in mind
             • Offspring of x.500
             • Provides enough standards to be
               attractive as a coordinating vehicle for
               identity management, authentication,
               authorization and auditing
 HVL 2001
                Putting It All Together
             • LDAP directory acts as the
               coordinating hub for your
               authentication, identity management,
               authorization and auditing systems
             • Can be Master, Child or both for
               authoritative source of information
             • Store digital certificates, username,
               password(s), challenge phrases,
               biometric point info., etc.
             • Also store summary info from the CRM
               or portal info on your business partners
 HVL 2001
                            You Want:
             •   To provide a central integration point
             •   Something that scales
             •   Enhance not reduce existing security
             •   To provide end user ease of use
             •   To quickly integrate systems required
                 by the existing and emerging business

 HVL 2001
                   Single Sign On (SSO)
             • Need some tools to work with the
               directory and your systems
             • Can be quite complex without the

 HVL 2001
                         SSO Challenges
             • Coordinate the identity management
             • Delegate the identity management where
             • Coordinate authentication
             • Security compatible with things like
               TLS/SSL, IPSec, digital certificates, etc.
             • Pre and Post authorization features to
               hand off to ERP’s, NOS’s, CRM’s, data
               warehouses, portals and all your other
               many systems
 HVL 2001
                          SSO Challenges
             • Maintain state to identify session beginning
               and endings
                – Timing out the user
             • Store authentication and authorization
               levels to which the identity is approved to
               prevent reauthentication unless desired
                – Involves the use of encrypted cookies and
                  application servers
                – Work within a domain and across multiple

 HVL 2001
                        SSO Challenges
             • How are you going to handle managing
               the authorization rules for who gets to
               see what when?
             • You need tools allowing you to
               delegate this where required
                – e.g. extranet, portal, departmental level
             • How do you integrate your auditing
               systems with the ERP’s, NOS’s,
               firewalls, CRM’s, facilities and all your
               other systems?
 HVL 2001
             Infrastructure Tools
• Without tools, this kind of work is exceedingly
  complicated, fraught with peril, expensive and
  time consuming
• Tools must allow you to scale very quickly
• Easy to use
• Flexible to allow to you tailor your authentication,
  identity management, authorization and auditing
  just the way you want it and not to someone else’s
  preconceived idea of what they should be

 HVL 2001
     That’s Where Oblix and Others
            Comes Into Play
 •    Oblix
 •    Netegrity
 •    IBM
 •    Entrust
 •    others

 HVL 2001
             Features to Look For
• Deploys relatively quickly
• Delegate identity and authorization rule
  management to whatever level if granularity
  makes sense
• Solid identity management
• Gives you great flexibility in post
  authentication, authorization and post
  authorization actions
 HVL 2001
             Features to Look For
• Flexible in granularity for determining
  protection of resources/applications
• Flexible in determining auditing requirements
  to different levels of resources/applications
• Scales easily without performance loss
• Works with most NOS’s, directories, ERP’s,
  portals, etc.

 HVL 2001
         Making and Saving Money!
• Your business models will likely be taking
  advantage of globalization, new economies
  of scale, new distribution channels, one to
  one and one to many marketing, etc.
• Take a second and think about your

 HVL 2001
         Making and Saving Money!
• They’re all heavily dependent on building and
  passing trust through system integration
• This infrastructure technology I’ve talked about is
  imperative to achieving your business models
• Without it, you’re in danger of wafting onto
  dangerous shoals and lacking the competitive edge to
  deliver your business models anywhere in the world,
  anytime, anywhere with a high degree of trust and
  low operating costs
 HVL 2001
             Know Thy Identity!
• Customer
• Business Partner
• Employee

 HVL 2001
             Thanks for Having Me!
• This ends the formal part of the presentation
• I hope I’ve been able to open your eyes as to why
  you really need to know and use this infrastructure
• Appended to this presentation are some URL’s
  for the presentation itself and other useful
  resources you may want to pursue
• Contact me at 604-921-6797 or guy@hvl.net

 HVL 2001
             URL’s - Presentation
• This presentation is available for html and
  download viewing at
• Also other presentations there on SSO,
  Password Management, etc.

 HVL 2001
             URL’s - Authentication
• Authentication Resources
      – Password portal - http://www.passwordportal.net/
      – Certificates – Security Magazine Jan. 2001 –
        “Implementing PKI” -
      – Smart Cards – Card Technology.com -
      – Biometrics – Biometric Consortium -
 HVL 2001
       URL’s – Security/Encryption
• Security and Encryption
      – A good read – “Secrets and Lies – Digital Security in a
        Networked World” – Bruce Schneier (Amazon.com
        link -
      – TLS – IETF Working Group -

 HVL 2001
URL’s – Securing e-Business Vendors
  • Infrastructure Vendors
        –      Oblix – www.oblix.com
        –      Netegrity - http://www.netegrity.com/
        –      IBM/Tivoli - http://www.tivoli.com/
        –      Entrust - http://www.entrust.com/

   HVL 2001
       URL’s - XML/Authentication
• A good read – Nand Mulchandani’s paper
  “Industry Must Embrace Combination of
  Open Web Access Standards for True
  Interoperability” -

   HVL 2001

To top